ASUS RT-AC66U. For the ASUS RT-AC66U, we demonstrate how insufficient bounds checking and the inability to disable
network services allowed us to execute arbitrary code with the same permissions as the vulnerable application.
From its hardened state, with or without USB storage attached, the RT-AC66U runs an ACSD system configuration service
on port TCP/5916.
1. The ACSD service runs by default, and cannot be disabled (no CVE cataloged).
2. The ACSD service is vulnerable to multiple buffer overflow attacks during the command processing routine
(CVE-2013-4659). An attacker can connect to the ACSD service and submit a command string that is larger
than the program’s fixed length buffer, corrupt the call stack, and change the execution flow of the program by
overwriting adjacent memory. The result is the execution of attacker-controlled code.
For the attack to succeed we utilize return oriented programming (ROP) to avoid stack randomization and MIPS system
cache incoherency. In order to create a coherent data cache, our payload utilizes a call to a blocking function, sleep(),
which effectively pauses program execution and gives CPU cycles to other executing system processes. When the sleep()
function returns, the MIPS CPU flushes the data cache and continues program execution. Finally, we direct the programs
execution to our custom shellcode that starts an unauthenticated Telnet server by calling the system() function located
in the standard C library.
Please refer to our vulnerability database for the python proof-of-concept attack script and commented disassembly of
the custom MIPS shellcode used in this exploit.
