Back to the advisories

Mercusys MW325R MW325R(EU)_V3_1.11.0 Build 221019(Multi-language) - CVE-2023-46297

#mercusys #cve #UARTshell #HardwareHacking #LanguageSwitch
Last Modified: 2024.06.02.

If you find it valuable, you can support me by making a donation. Donate now.

Advisory

Story

I went to a local store to buy some targets. I found a cheap Mercusys (MW325R EU V3) router, after some googling in the shop I realized there are not many Mercusys vulnerabilities. It was a challenge, and I accepted it. It was a funny, and interesting reverse engineering project. On the first day, I found a funny vulnerability on the login page, at first I had no idea what is the problem. With my new HW hacking tools, I obtained a "root" shell on the device, and I figured out the root cause of the vulnerability. I was surprised a little bit because of the operating system. It was not a Linux operating system, it was custom-made stuff. MiniFS filesystem, no "classic" programs, there was a special debugging menu with special programs. It was new to me, and I was sure I would enjoy it.

I found multiple vulnerabilities during the reverse engineering process, and I reported them to the Vendor. In this part, I will focus on CVE-2023-46297 only.

Vulnerability Description

An attacker can make the admin interface "unreachable/invisible" with an HTTP request without authentication. Verification of the data sent by the user is not checked. The web server does not crash, but the admin interface is not visible, as the files necessary to display the content will not be available. A reboot of the router is required to restore the correct behavior. It is possible to restore it with another request. But for this, the vulnerability must be known.

I have published the technical details via vsociety: https://www.vicarius.io/vsociety/posts/mercusys-mw325r-reverse-engineering-part-1-root-shell-cve-2023-46297.

Disclosure timeline

  • 2023.10.17 - Vulnerability report sent to Mercusys.
  • 2023.10.18 - Mercusys sent a response. They started working on it.
  • 2023.10.22 - I got the following CVE number from MITRE: CVE-2023-46297.
  • 2023.11.01 - Mercusys sent a test firmware. (It means they reproduced the issue.)
  • 2023.11.04 - I checked the fix and it worked. I sent an update to Mercusys.
  • 2023.11.04 - 2024.02.15 - Multiple discussions with the vendor. (CVE requested: CVE-2023-46297)
  • 2024.05.29 - Publishing
  • © 2019-2024 Kamill√≥ Matek (k4m1ll0) All Rights Reserved