Asus, back at it again with the format strings - CVE-2023-41349 Last year I came across some weird format string issues in Asus’s “Advanced OpenVPN Configuration” functionality. I sent the bugs to Asus for a fix 2023/05/15, around the same time I submitted a few other exploitable DoS conditions. I never heard back about the CVE assignment and remembered today, nearing a year later. Anyway, here are the details– these ones are pretty funny because they not only DoS’d the VPN service, they straight up power cycled the device LOL.

Recently I came across a few exploitable DoS conditions in Asus httpd while doing some fuzzing. Although these aren’t the most impactful bugs (the Asus watchdog process restarts httpd anytime it detects a crash) they can be exploited unauthenticated. Also, even though the watchdog restarts the service, it remains possible to just continue sending DoS requests, crashing it as soon as it restarts, lol. Unauthenticated DoS Conditions in Asus httpd First up, CVE-2023-34358