Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
Both teams’ entries were successful at the contest, and the vulnerabilities were disclosed to the vendor. Interestingly, the bug was also used by the Tenable team in their unsuccessful Pwn2Own attempt against the device. They, too, disclosed the bug to TP-Link, but their public report did not show that the bug could be exploited on the WAN interface. TP-Link released a firmware update in March that “Fixed some security issues” – including this and other CVEs. It was after this fix was made public that exploit attempts using this CVE were detected in the wild.
The bug itself is an unauthenticated command injection vulnerability in the locale API available via the web management interface. This endpoint allows a user to specify the form we want to call by specifying the query string form along with an operation, which is usually read or write. In this instance, we are interested in the write operation on the country form, which is handled by the set_country function. This function will call merge_config_by_country that concatenates the specified country field into a command string. This command string will be executed using the popen function. There is no sanitization of the country field, so an attacker can achieve command injection at this point.
This functionality is exposed on the LAN side of the router, as evidenced by both Team Viettel and Tenable targeting this functionality at the contest. However, the team from Qrious Security was able to exploit this vulnerability on the WAN interface of the router. They discovered a race condition issue related to iptable handling on the TP-Link’s WAN-side processing that would briefly expose this functionality on the WAN-side. This allowed them to chain the race condition weakness with the locale API command injection to gain code execution at the contest. According to TP-Link, both issues were resolved in the patch released on March 17.
Active Exploitation Details
Starting on April 11th, we began seeing notifications from our telemetry system that a threat actor had started to publicly exploit this vulnerability. You can see an example of the attack here:
Most of the initial activity was seen attacking devices in Eastern Europe, but we are now observing detections in other locations around the globe.
In this version of Mirai, the attackers utilize CVE-2023-1389 to make an HTTP request to the Mirai command and control (C2) servers to download and execute a series of binary payloads. These binary payloads are intended for various system architectures. This is one such request:
The binary payloads are downloaded and then executed using brute-force methodology to find the appropriate payload for the target system architecture.
Once the appropriate binary is found and the payload is installed, the host becomes fully infected and establishes a connection with the Mirai C2. Here’s a network trace showing this connection:
While analyzing some of the payloads, we determined that the threat actors are encrypting strings using 0x00 and 0x22 as XOR keys. Unencrypting these strings revealed some of the capabilities and configuration details that correspond with known Mirai indicators.
Part of the plaintext configuration reveals the Mirai bot attack functions, which can be found in Mirai’s source code. For example:
Among the interesting functions is a TSource Engine Query attack functionality. This can be used to launch a Valve Source Engine (VSE) distributed denial-of-service (DDoS) attack against game servers.
The unencrypted strings reveal further configuration details about this Mirai bot. These include specific User-Agent strings and server headers, such as cloudflare-nginx and dosarrest. These allow the bot to imitate legitimate traffic, making it more difficult to separate DDoS traffic from legitimate network traffic.
Indicators of compromise
The following hashes and other data were detected as being used by this exploit:
Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing “time-to-exploit” speed that we continue to see across the industry. That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in an enterprise. Looking back at this CVE, it was also interesting to see it being discovered independently by multiple teams in preparation for the Pwn2Own Toronto contest. Each team used different techniques to discover this vulnerability along with distinctive approaches to how they went about exploiting it. We would like to thank all the teams at the Pwn2Own contest for finding and disclosing these critical-class issues. It truly demonstrates the value of the contest, especially in the realm of home and small office devices. Finally, we would like to acknowledge the efforts TP-Link exhibited in developing and deploying a patch. Applying this patch is the only recommended action to address this vulnerability, and we recommend all users of the TP-Link Archer AX21 Wi-Fi router apply it as soon as possible.
Our threat hunting team continues to seek and find exploits being used in the wild, and we’ll publish details on some of these discoveries in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
Blog post Zero Day Initiative – Blog