CVE-2022-23973 ASUS RT-AX56U has a user profile configuration vulnerability that is vulnerable to buffer overflow due to insufficient validation of parameters.

The issue is resolved in RT-AX56U firmware version 1.0.3.3 from February 12, 2017. An attacker can access the user profile configuration function by sending HTTP request with malicious data. In the case of RT-AX56U, the value of “User 1” is “\x01\x57\x57\x57\x57\x57”, which is a length of 53 bytes. An attacker can send HTTP request with length longer than 53, which will result in buffer overflow. If the length of the data is shorter than 53 bytes, then RT-AX56U will respond with an error code. The attacker can send the same data with one byte different and the same length, and the response will be valid. The following PoC code will result in buffer overflow in RT-AX56U.  HTTP/1.1 302 Found  Location: http://192.168.1.1:8080/user/register  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36  Host: 192.168.1.1:8080  >

RT-AX8U firmware version 1.0.0-1 .0.2

The issue is resolved in RT-AX8U firmware version 1.0.2 from February 12, 2017. An attacker can access the user profile configuration function by sending a request with malicious data. The following PoC code will result in buffer overflow in RT-AX8U:  HTTP/1.1 302 Found  Location: http://192.168.1.1:8080/user/register  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36  Host: 192.168.1.1:8080

RT-N16 (New)

The issue is resolved in RT-N16 firmware version 1.1.2 from March 1, 2017. An attacker can access the user profile configuration function by sending HTTP request with malicious data. In the case of RT-N16, the value of “User 1” is “\x01\x57\x57\x57\x57\x57”, which is a length of 53 bytes. An attacker can send HTTP request with length longer than 53, which will result in buffer overflow. If the length of the data is shorter than 53 bytes, then RT-N16 will respond with an error code. The attacker can send the same data with one byte different and the same length, and the response will be valid. The following PoC code will result in buffer overflow in RT-N16:  HTTP/1.1 302 Found  Location: http://192.168.1.1:8080/user/register  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36  Host: 192.168.1.1:8080  >

Timeline

Published on: 04/07/2022 19:15:00 UTC
Last modified on: 04/14/2022 20:39:00 UTC

References

• https://www.twcert.org.tw/tw/cp-132-5787-b0e64-1.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23973