Full Report
One Key has recently created an automated scanner for scripting languages and compiled binaries. To start with, they support Python and PHP scripting languages with various bug classes, such as command injection, path traversal and many others. This analysis tool led to the discovery of 15 critical bugs in 6 different vendors. All of these will be fixed besides an Asus NAS bug since it's been EOL'ed. It seems they gave the tool the firmware of the device and it was able to magically discover bugs. Pretty neat! While parsing cookies, the code exec("cookie_user -c ".$_COOKIE['CookieID'])); is ran. This is used to execute PHP code dynamically. Since the string CookieID is controlled by us, this can be used inject our own code into the program. Overall, the bug they found is pretty simple. It's neat that the tool is able to tear apart firmware and find these sorts of bugs in the code. This could be a good tool for security researchers looking for quick bugs or vendors as a check prior to launching their product.
Analysis Summary
# Vulnerability: Unauthenticated Remote Command Injection in Asus M25 NAS
## CVE Details
- **CVE ID:** CVE-2022-4221
- **CVSS Score:** 9.8 (Critical)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- **CWE:** CWE-77 (Improper Neutralization of Special Elements used in a Command)
## Affected Systems
- **Products:** Asus M25 NAS
- **Versions:** All firmware versions (including the latest version dated ~2012)
- **Configurations:** Default configuration; the vulnerable code resides in an authentication layer added by Asus to the integrated AjaXplorer component.
## Vulnerability Description
A critical command injection vulnerability exists in the PHP-based web interface of the Asus M25 NAS. The flaw is located in the processing of HTTP cookies, specifically where the value of the `CookieID` cookie is passed directly into a system command via the PHP `exec()` function without sanitation.
The application executes: `exec("cookie_user -c ".$_COOKIE['CookieID']);`. Because the input is not filtered, an attacker can append shell metacharacters (such as semi-colons) to the cookie value to execute arbitrary system-level commands.
## Exploitation
- **Status:** PoC described; vulnerability exists in End-of-Life (EOL) firmware.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to files and system data)
- **Integrity:** High (Ability to modify system configuration and files)
- **Availability:** High (Ability to disable the device or delete data)
## Remediation
### Patches
- **None:** The vendor (Asus) has declared this product "End-of-Life" (EOL) for several years and indicated that no security updates will be provided.
### Workarounds
- **Decommissioning:** Since no patches are available, it is strongly recommended to discontinue the use of Asus M25 NAS devices, especially if they are exposed to a network.
- **Network Isolation:** If the device must remain in use, ensure it is completely isolated from the internet and placed behind a strict firewall with no external access to the web management interface.
## Detection
- **Indicators of Compromise:** Monitoring web server logs for unusual `CookieID` values containing shell characters (e.g., `;`, `&`, `|`, `$(...)`).
- **Detection methods and tools:** Static Analysis Security Testing (SAST) tools or automated firmware scanners (like the ONEKEY platform) can identify the vulnerable `exec()` call in the PHP source code.
## References
- **Vendor Advisory:** N/A (Vendor declined to issue a fix due to EOL status)
- **ONEKEY Advisory:** hxxps[://]www[.]onekey[.]com/resource/security-advisory-asus-m25-nas-vulnerability
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2022-4221