CVE-2018-8879

Vulnerability

A stack-based buffer overflow vulnerability exists in the blocking.asp page of ASUSwrt-Merlin firmware for ASUS devices older than version 384.4 and ASUS firmware before version 3.0.0.4.382.50470. The flaw is triggered by providing an excessively long string to the flag, mac, or cat_id parameters via a GET or POST request. No authentication or special configuration is required for the vulnerable code path to be reachable [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP GET or POST request to the blocking.asp endpoint of an affected device. The attacker must be able to reach the device's web interface over the network. The long string supplied to the flag, mac, or cat_id parameter overflows a fixed-size stack buffer, overwriting adjacent memory. No user interaction beyond the request is needed [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the target device with the privileges of the web server (typically root). This grants full control over the router, enabling actions such as modifying network traffic, exfiltrating data, or pivoting to internal networks [1].

Mitigation

The vulnerability is fixed in ASUSwrt-Merlin firmware version 384.4 and ASUS stock firmware version 3.0.0.4.382.50470. Users should update to these or later versions. No workarounds are available for unpatched devices [1].