Download Master, pt 2 Alright so here are the fun ones: command injections and buffer overflows. Command Injections - CVE-2024-31162 URL Path parameters are not sanitized prior to their inclusion within system() calls, resulting in the ability for authenticated users to perform command injection attacks. The following action_mode values lead to unsafe system calls via the listed parameters: DM_ED2K_ADD ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_REM ED2K_SERVER_IP and ED2K_SERVER_PORT DM_ED2K_CON ED2K_SERVER_IP and ED2K_SERVER_PORT DM_LANG

Asus, the gift that keeps on giving (cves) something something a cve horse in the mouth Remember back in the early 2000s, when download managers were all the rage? Well, turns out in 2024 Asus still has a product, aptly named “Download Master”. This “app” installs to a USB device on your router. As it turns out, it’s actually a full on linux environment running busybox… that’s installed onto your USB stick, lol.