Info Leak / DoS Conditions in Asus Advanced OpenVPN

Asus, back at it again with the format strings - CVE-2023-41349 Last year I came across some weird format string issues in Asus’s “Advanced OpenVPN Configuration” functionality. I sent the bugs to Asus for a fix 2023/05/15, around the same time I submitted a few other exploitable DoS conditions. I never heard back about the CVE assignment and remembered today, nearing a year later. Anyway, here are the details– these ones are pretty funny because they not only DoS’d the VPN service, they straight up power cycled the device LOL.

External Recon, Discovery Notes

Had a few questions lately at work about recon– what it looks like, how people do “discovery”, and what that entails. There’s some awesome posts like this one and this one which have great resources, so I usually send these over to people along with various tips and tricks. Through the years though, some of my favorite resources haven’t stood test of time and 404 or timeout. So, I’ll now add to the information vacuum.

Unauthenticated DoS Conditions in Asus httpd

Recently I came across a few exploitable DoS conditions in Asus httpd while doing some fuzzing. Although these aren’t the most impactful bugs (the Asus watchdog process restarts httpd anytime it detects a crash) they can be exploited unauthenticated. Also, even though the watchdog restarts the service, it remains possible to just continue sending DoS requests, crashing it as soon as it restarts, lol. Unauthenticated DoS Conditions in Asus httpd First up, CVE-2023-34358

Stored XSS in Asus Custom User Icons

CVE-2023-34360 - Stored XSS in Custom UserIcons Whenever I get really bored I just turn back to my little Asus routers and say “buggo create-o” and invariably I find some sort of issue. Today I’m writing about some stored XSS I came across, receiving CVE-2023-34360 I stumbled across some functionality recently that I didn’t realize was functionality– after clicking around a bit I clicked one of the little device icons and was surprised to find a file upload form:

Now, another kind of arm...

ARM… wait no, an arm! For the last 15 years I’ve identified myself as a climber– a boulderer at heart. I’ve spent a significant amount of my life pebble wrestling, with a good bit of sport climbing mixed in. Things changed this past September when I hit a not-so-rad jump on my mountain bike and got a grade 5 AC separation– oops. This could be considered a catastrophic injury for a person such as myself to face.

vsftpd

vsftpd Fuzzing Placeholder for some vsftpd fuzzing notes

Asus, Qemu, AFL++ Notes

This post is just a collection of my notes and experiences reversing, compiling and emulating Asus proprietary and Asuswrt-Merlin software, on an Ubuntu 20.04 box. It’s a bit of a pain really, I thought it would be pretty easy but everything’s been an issue, which is also what makes it sorta fun.

Worked primarily with https://github.com/RMerl/asuswrt-merlin.ng for the RT-AX88U router, but some binaries are just closed-source :/

Pfsense Update

Homelab pfsense Update This past year I purchased a permanent location for my networking gear– it also happened to come with bathrooms, bedrooms and a kitchen, which were all a plus. I’ve been fortunate to be able to buy a home and one of my dreams as a kid was to be able to have a cool “home lab”. While I’ve had a bit of a lab, it’s been getting upgraded since moving and I found myself running a pfsense / pfblockerng setup at the suggestion of my friend Outrun207.

Stored XSS & Authenticated RCE in Asus httpd

My whole perspective on “modern appliances” changed within the last few years, and I’ve started to look at things with a different mindset. In the past I’ve avoided anything “smart” because I didn’t want it on my home network. Perhaps the utility of some of them slowly won me over (read: neat stuff they do), but these days if I’m looking to buy something, most of the time it gets bonus points for being “smart”. I just want to take them home, connect them to my lab wifi and hack them. For instance, we just got a smart humidifier. What the hell? Why would they make that? Convenience I guess, but it’s awesome and I can’t wait to scan it.

SLAE32

Below are my old blog posts for the SLAE32 ‘certification’. Task 1: ASM TCP Bind Shell Requirements: Binds to a port Executes a shell on incoming connection Port should be ’easily’ configurable I wrote a C bind shell based off of other posts in order to better understand the requirements. In actuality, I wrote multiple as I found better ways of writing the same code, as one does. My final C file is below: