CVE-2021-35394 Scanner

CVE-2021-35394 Scanner - Remote Code Execution (RCE) vulnerability in RealTek AP Router SDK

Short Info


Level

High

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

3 weeks 17 hours

Scan only one

Domain, IPv4, Subdomain

Toolbox

-

RealTek AP Router SDK is a software development kit integrated into various embedded networking devices, primarily Wi-Fi routers and IoT systems. It is widely adopted by device manufacturers to enable wireless communication and control functionalities. The SDK is designed to manage data packets, handle routing logic, and maintain wireless configurations. RealTek’s solutions are commonly used in residential, commercial, and industrial IoT environments. Network administrators and device manufacturers integrate this SDK into firmware for enhanced functionality. Due to its widespread use, vulnerabilities in this SDK can affect a large number of end-user devices globally.

The vulnerability in the RealTek AP Router SDK allows for Remote Code Execution (RCE) through arbitrary command injection. This flaw arises from an exposed UDP server within the SDK that accepts user input without sufficient validation. Attackers can craft specially formed UDP packets that embed operating system commands. Upon receipt, the vulnerable service interprets and executes these commands in the system shell. As no authentication or sanitization is enforced, this allows attackers to control the affected system remotely. This type of vulnerability is critical and can be exploited in real-world scenarios, especially when the devices are accessible over public networks.

Technically, the vulnerability resides in the UDP service exposed by the RealTek SDK. Attackers can send a crafted UDP message containing `nslookup` or similar commands embedded in a specific format like `orf;nslookup attacker.domain`. The vulnerability stems from improper parsing and execution of input within the UDP listener. Upon receiving the packet, the service executes the command without checking its source or content. This enables an attacker to make the target device perform DNS queries or run arbitrary shell commands. This attack is commonly used in conjunction with DNS-based interaction services to confirm exploit success. The flaw affects any firmware that includes the unpatched SDK version exposing this service.

If successfully exploited, the vulnerability can lead to full compromise of the target device. Attackers may gain remote shell access and use the device in botnets or launch further attacks within internal networks. Data on the device can be stolen or manipulated, and services can be disrupted. In large-scale environments, multiple devices could be compromised simultaneously. Additionally, the attack may go undetected if the UDP port is exposed without logging. The impact of this vulnerability is severe due to the potential for persistent remote control.

Get started to protecting your digital assets