blog Ndays

ASUSWRT URL Processing Stack Buffer Overflow

While processing the URL for any blacklisted XSS list like the script tag in the check_xss_blacklist function, a stack buffer overflow is possible by extending the length of the URL when accessing the web interface of the ASUS Router
cExplr
cExplr
ASUSWRT URL Processing Stack Buffer Overflow

This linked blog post (written by me) details the Stack Buffer Overflow bug and how to exploit it and getting RCE.

While processing the URL for any blacklisted XSS list like the script tag in the check_xss_blacklist function, a stack buffer overflow is possible by extending the length of the URL when accessing the web interface of the ASUS Router. To exploit it, stack pivoting technique is used before chaining up ROP gadgets to call our own custom command. In this post, we show how this can be exploited to get a reverse shell.

This vulnerability exists in routers that are using ASUSWRT 3.0.0.4.384.20308 (2018/02/01), and for our purposes, we used the RT-AC88U.

Click here to get to the blogpost.

cExplr
Written by

cExplr

I was working previously as a Security Researcher at STARLabs Singapore and am currently looking to do Malware Analysis / Threat Hunting as well!

You may also like...

blog Ndays

A Case Study of an Incorrect Optimization in V8

A presentation showing how it is possible for incorrect optimizations in the JIT (Just-In-Time) engine to lead to out of bound read and write

cExplr
cExplr
blog Ndays

Command Injection in Archer A7 (CVE-2020-10882)

This post provides detailed analysis and an exploit achieving remote code execution for CVE-2020-10882

cExplr
cExplr