Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2023-35086 PoC — ASUS RT-AX56U V2 & RT-AC86U - Format String -1

Source
https://github.com/tin-z/CVE-2023-35086-POC
Associated Vulnerability
Title:ASUS RT-AX56U V2 & RT-AC86U - Format String -1 (CVE-2023-35086)
Description: It is identified a format string vulnerability in ASUS RT-AX56U V2 & RT-AC86U. This vulnerability is caused by directly using input as a format string when calling syslog in logmessage_normal function, in the do_detwan_cgi module of httpd. A remote attacker with administrator privilege can exploit this vulnerability to perform remote arbitrary code execution, arbitrary system operation or disrupt service. This issue affects RT-AX56U V2: 3.0.0.4.386_50460; RT-AC86U: 3.0.0.4_386_51529.
Description
POC of CVE-2023-35086 only DoS
Readme
# CVE-2023-35086-POC
> July 25 2023, Altin (tin-z), github.com/tin-z

---

## Brief description ##

ASUS RT-AX56U V2 & RT-AC86U router firmwares below or equal to version 3.0.0.4.386_50460 and 3.0.0.4_386_51529 respectively have a format string vulnerability in the detwan.cgi function of the httpd service that can cause code execution when an attacker constructs malicious data. The vulnerability affects also other ASUS devices using httpd service. Read here for more [details](#details).


references:
 * [mitre report](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-35086)
 * [cve.report](https://cve.report/CVE-2023-35086)


## Poc ##


The vulnerability permits achieving RCE, meanwhile the PoC only achieves DoS, mainly because the firmware was emulated with QEMU and so the stack is different from the real case device. Prerequisites:
 - The value of 'Referer' header should contain the target's address

[poc_crash.py](./poc_crash.py)

```
virtualenv --python=python3 .venv
source .venv/bin/activate
pip install hexdump

python poc_crash.py --HOST 127.0.0.1 --PORT 12234 --test
# output expected: [+] Target supports detwan.cgi


python poc_crash.py --HOST 127.0.0.1 --PORT 12234 --dos
```

![poc.gif](./img/poc.gif)


<br/>

## details ###

The vulnerability is triggered by doing GET or POST to uri `/detwan.cgi` and giving a special format string as argument to `action_mode` HTTP parameter.

By opening httpd binary in ghidra we can see the string "do_detwan_cgi" referenced by address `0x492c4`

![t1.jpg](./img/t1.jpg)

The decompiler breaks down the function without showing everything, but the interesting points are already there:
 - `FUN_0001b70c` extracts the parameter `action_mode`
 - `logmessage_normal` is an external function exposed by libshared

![t2.jpg](./img/t2.jpg)


The source code of `logmessage_normal` can be found in the asuswrt-merlin firmware, specifically in the file `asuswrt-merlin/release/src/router/shared/misc.c`, and as can be noted, it saves `action_mode`'s content inside the local variable `buf`, which in turn is used on `syslog` call

![t3.jpg](./img/t3.jpg)


The libc `syslog` supports format strings so here's the root of the vulnerability

![t4.jpg](./img/t4.jpg)
File Snapshot

 [4.0K]  /data/pocs/f7fd92231bdd66820fe3b890bb4f6f74ec91769a
├── [4.0K]  img
│   ├── [1.3M]  poc.gif
│   ├── [188K]  t1.jpg
│   ├── [ 81K]  t2.jpg
│   ├── [ 63K]  t3.jpg
│   └── [ 14K]  t4.jpg
├── [2.7K]  poc_crash.py
└── [2.2K]  README.md

1 directory, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →