漏洞平台

POC详情： f7fd92231bdd66820fe3b890bb4f6f74ec91769a

来源

https://github.com/tin-z/CVE-2023-35086-POC

关联漏洞

标题： ASUS RT-AX56U 格式化字符串错误漏洞 (CVE-2023-35086)
描述：ASUS RT-AX56U是中国华硕（ASUS）公司的一款无线路由器。 ASUS RT-AX56U V2和RT-AC86U存在格式化字符串错误漏洞，该漏洞源于存在格式字符串漏洞，未经身份验证的远程攻击者可以利用该漏洞在没有权限的情况下执行远程任意代码执行、任意系统操作或中断服务。

描述

POC of CVE-2023-35086 only DoS

介绍

# CVE-2023-35086-POC
> July 25 2023, Altin (tin-z), github.com/tin-z

---

## Brief description ##

ASUS RT-AX56U V2 & RT-AC86U router firmwares below or equal to version 3.0.0.4.386_50460 and 3.0.0.4_386_51529 respectively have a format string vulnerability in the detwan.cgi function of the httpd service that can cause code execution when an attacker constructs malicious data. The vulnerability affects also other ASUS devices using httpd service. Read here for more [details](#details).


references:
 * [mitre report](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-35086)
 * [cve.report](https://cve.report/CVE-2023-35086)


## Poc ##


The vulnerability permits achieving RCE, meanwhile the PoC only achieves DoS, mainly because the firmware was emulated with QEMU and so the stack is different from the real case device. Prerequisites:
 - The value of 'Referer' header should contain the target's address

[poc_crash.py](./poc_crash.py)

```
virtualenv --python=python3 .venv
source .venv/bin/activate
pip install hexdump

python poc_crash.py --HOST 127.0.0.1 --PORT 12234 --test
# output expected: [+] Target supports detwan.cgi


python poc_crash.py --HOST 127.0.0.1 --PORT 12234 --dos
```

![poc.gif](./img/poc.gif)


<br/>

## details ###

The vulnerability is triggered by doing GET or POST to uri `/detwan.cgi` and giving a special format string as argument to `action_mode` HTTP parameter.

By opening httpd binary in ghidra we can see the string "do_detwan_cgi" referenced by address `0x492c4`

![t1.jpg](./img/t1.jpg)

The decompiler breaks down the function without showing everything, but the interesting points are already there:
 - `FUN_0001b70c` extracts the parameter `action_mode`
 - `logmessage_normal` is an external function exposed by libshared

![t2.jpg](./img/t2.jpg)


The source code of `logmessage_normal` can be found in the asuswrt-merlin firmware, specifically in the file `asuswrt-merlin/release/src/router/shared/misc.c`, and as can be noted, it saves `action_mode`'s content inside the local variable `buf`, which in turn is used on `syslog` call

![t3.jpg](./img/t3.jpg)


The libc `syslog` supports format strings so here's the root of the vulnerability

![t4.jpg](./img/t4.jpg)

文件快照


 [4.0K]  /data/pocs/f7fd92231bdd66820fe3b890bb4f6f74ec91769a
├── [4.0K]  img
│   ├── [1.3M]  poc.gif
│   ├── [188K]  t1.jpg
│   ├── [ 81K]  t2.jpg
│   ├── [ 63K]  t3.jpg
│   └── [ 14K]  t4.jpg
├── [2.7K]  poc_crash.py
└── [2.2K]  README.md

1 directory, 7 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。