CVE-2021-3254: kaisersource.github.io/2021-01-22-dsl-n14u.md at main · kaisersource/kaisersource.github.io

layout

title

date

comments

categories

post

Persistent crash of services after TCP SYN scan

2021-01-22

true

vulnerability

Affected products

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with the same firmware version.

    DSL-N14U_B1 V.1.1.2.3_805

Overview

An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 device. Remote attacker to cause a denial of service (crash) by performing a SYN scan using a tool such as nmap. Sending these packets causes a persistent outage of the jetdirect (9100/tcp), LPD (515/tcp) and sos (3838/udp) services.

POC

This PoC can crash services.

##Stage 1: Enumeration

##Stage 2: Upload test

We enter the router via ssh to understand through the proc file system what’s going on.

As shown in the figure, we can see some active services and their port in hexadecimal format. Those that interest us are basically jetdirect LPD (i.e. 238C and 0203 in hex)

##Stage 3: Showdown

We run nmap by inserting an additional script with a moderate degree of intrusion.

The script retrieves or sets the “ready message” on devices that support the Printer Job Language.

sudo nmap -sV --script pjl-ready-message

Once this is done, we immediately notice differences in the proc file system.

As a counter check, we show the status of services before and after running nmap via netstat -tulen (busybox doesn’t support -p, which is why we work on the proc file system inside the router).

In the latest two figures we show proc file system effects in a comprehensive way

If we had an eye previously, we have seen well, not just two ocurrencies related to printing services crashed… an additional service disappeared: sos service (3838 / tcp) - Scito Object Server

The situation will persist as long as the modem router is active. The services will be active again only with a physical intervention (reboot)