The network fixed massive attack on home routers, which are used in the firmware implementation of http-server of the company Arcadyan. For control over the devices used a combination of two vulnerabilities allow remote execution of arbitrary code with root privileges. The problem affects sufficiently large spectrum ADSL-routers from Arcadyan companies, ASUS and Buffalo, as well as devices, sold under the brand Beeline (the problem is confirmed in the Smart Box Flash), Deutsche Telekom, Orange, O2, Telus, Verizon, Vodafone and other operators. noted, that the problem is present in Arcadyan firmware for over 10 years and during that time managed to migrate at least 20 models of devices from 17 different manufacturers.
Of particular interest is the vulnerability CVE-2021-20090, allowing any script to turn to web-based interface without passing authentication. The essence of vulnerability in that the web-interface are some directories that are given through the images, CSS-files and JavaScript scripts are accessible without authentication. In this case, check the directory, which allowed access without authentication is performed on the initial mask, and in the ways allowed to use the symbols “..” to go to the parent directory. Note in the ways of “../” locked firmware, but the use of a combination of “..% 2f” is skipped. Thus, there is the possibility of opening protected pages when sending requests such as “https://192.168.1.1/images/..%2findex.htm”.
CVE-2021-20091 second vulnerability allows the authenticated user to make changes to the configuration device by sending parameters specially designed script apply_abstract.cgi, which does not check availability newline in the parameters. For example, an attacker can when performing ping operations specified in the field with the inspected IP-address value “192.168.1.2% 0AARC_SYS_TelnetdEnable = 1” and the script when creating a configuration file /tmp/etc/config/.glbcfg record therein string “AARC_SYS_TelnetdEnable = 1 “, which activates the telnetd server that provides unlimited access to the command shell as root. Similarly, you can use the installation AARC_SYS parameter to run arbitrary code on the system. The first vulnerability makes it possible to run the script without any problem autenitifikatsii, referring to it as “/ images /..% 2fapply_abstract.cgi”.
To operate the vulnerability an attacker must be able to send a request to the network port on which the web-based interface. Judging by the dynamics of the attack spread, many operators are left on their devices access from the external network to simplify problem diagnosis support. When you restrict access to the interface for the internal network only attack can be made from the external network using technology “DNS rebinding”. The vulnerability is already actively used to connect the router to the botnet Mirai: