Nasty httpd exploit - CVE-2017-12754

[bsdsource]

This httpd exploit had been known since 08/09/2017. Can we get a fix for this immediately!

https://nvd.nist.gov/vuln/detail/CVE-2017-12754#vulnDescriptionTitle

https://github.com/coincoin7/Wirele...b/master/Asus_DeleteOfflineClientOverflow.txt

 

[martinr]

This httpd exploit had been known since 08/09/2017. Can we get a fix for this immediately a fix for this immediately!

https://nvd.nist.gov/vuln/detail/CVE-2017-12754#vulnDescriptionTitle

https://github.com/coincoin7/Wirele...b/master/Asus_DeleteOfflineClientOverflow.txt

Time and again in this forum we are told never to allow WAN access to the router's GUI. And the default installation setting indeed has it set to NO.

And remember Merlin generously makes his firmware available to us all and asks for nothing in return (but one is always free to make a donation). So perhaps "Can we get a fix for this immediately!" might have been phrased better.

 

[Vexira]

This httpd exploit had been known since 08/09/2017. Can we get a fix for this immediately!

https://nvd.nist.gov/vuln/detail/CVE-2017-12754#vulnDescriptionTitle

https://github.com/coincoin7/Wirele...b/master/Asus_DeleteOfflineClientOverflow.txt

I think you mean could you please fix the issue I would be very grateful if you are able to.

 

[RMerlin]

This httpd exploit had been known since 08/09/2017.

And the person who discovered it was too irresponsible to bother contacting the software developer about it and instead chose to get his 5 mins of fame by publishing it in the wild. This is the first time I heard about this issue.

Responsible disclosure is a dying skill among the so-called security domain it seems.

 

[john9527]

And he used an old code level 380_3489 so he could take advantage of an exploit to gain access that has been fixed for several months now, without noting that the entry exploit was no longer valid.

EDIT: And just for info, this CVE is not applicable to my LTS fork.

 

[RMerlin]

I have forwarded the info to Asus so they can take care of it upstream. I'll look at it myself later when I have the time.

As John said, active exploitation of this requires TWO different vulnerabilities: one to hijack the session, and one to trigger the buffer overrun. So it's not easily exploitable if you are running 380.68/380_7443.

 

[bsdsource]

I think you mean could you please fix the issue I would be very grateful if you are able to.

I made my $50.00 recent donation. I have the right to request at least one immediate fix. Plus I point out code issues on github. Anyways me and RMerlin go way back. RMerlin pretty much owes me his RT-AC3200 at this point.

Edit: azdps like this.

 

[martinr]

.....I made my $50.00 recent donation. I have the right to request at least one immediate fix......

Make that $100 and you can request an instantaneous fix.

 

[Vexira]

I made my $50.00 recent donation. I have the right to request at least one immediate fix. Plus I point out code issues on github. Anyways me and RMerlin go way back. RMerlin pretty much owes me his RT-AC3200 at this point.

still doesnt mean that you cant be polite about it.

 

[RMerlin]

RMerlin pretty much owes me his RT-AC3200 at this point.

Doubt it unless you're an Asus employe - they're the one that sent me one.

 

[RMerlin]

Make that $100 and you can request an instantaneous fix.

...just no. Donations are entirely voluntary, and only for existing work. I've made it a policy not to do paid-for requests or provide paid-for support. I have a daytime job with customers entitled to make requests out of me, this project shall remain a hobby.

 

[Vexira]

...just no. Donations are entirely voluntary, and only for existing work. I've made it a policy not to do paid-for requests or provide paid-for support. I have a daytime job with customers entitled to make requests out of me, this project shall remain a hobby.

Well we are all grateful for the time and hard work you put into this project.

 

[martinr]

...just no. Donations are entirely voluntary, and only for existing work. I've made it a policy not to do paid-for requests or provide paid-for support. I have a daytime job with customers entitled to make requests out of me, this project shall remain a hobby.

I was being facetious, but you know that, of course. "Generous", when describing your freely making available your firmware, really was an understatement.

 

[Eric Lieb]

...just no. Donations are entirely voluntary, and only for existing work. I've made it a policy not to do paid-for requests or provide paid-for support. I have a daytime job with customers entitled to make requests out of me, this project shall remain a hobby.

This right here! Hell it is almost the same as kickstarters and other gofundme type campaigns... There is no real guarantee you will get anything for your money, you give the money because you support the project and want to see it continue.

 

[martinr]

This right here!..... you give the money because you support the project and want to see it continue.

True, but I'd go further and expand: it's not just that Merlin makes his "hobby" firmware available to everyone, but that he develops it for a range of models. Not only that, he's always there replying to posts on this forum, and not just this one: you go on the sister forums and see he's active there too. In fact, if you look at his profile and see how many posts he's made and then work out how many years he's been a member, convert that to days and work out the daily posting rate, you can't help re-doing the maths in disbelief. All that as well as holding down a day job and having gone through a period of ill health. His State-of-the-Project posting illustrates the amount of work all this takes.

So it's not just that we support the project and want to see it continue, but that we deeply appreciate the tremendous effort and sacrifices it takes.

 

[Makaveli]

Doubt it unless you're an Asus employe - they're the one that sent me one.

So he is basically making things up.

Credibility down the drain!