CVE-2018-18319 in Merlin.PHP
Summary
by MITRE
** DISPUTED ** An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/05/2024
The vulnerability identified as CVE-2018-18319 resides within the Merlin.PHP component version 0.6.6 of Asuswrt-Merlin firmware, representing a critical remote code execution flaw that exploits improper input validation and dangerous function execution patterns. This issue manifests through the api.php endpoint which contains an eval() call that processes user-supplied parameters without adequate sanitization, creating a pathway for malicious actors to inject and execute arbitrary commands on affected devices. The vulnerability specifically demonstrates its exploitability through a crafted URI where the command parameter is passed directly to the eval function, allowing an attacker to execute system commands such as 'ls' as shown in the proof of concept. The component's architecture design places it within the realm of network infrastructure devices where unauthorized access can lead to complete system compromise.
The technical implementation of this vulnerability follows CWE-94, which describes the weakness of executing arbitrary code through the use of eval functions, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter. The flaw occurs because the api.php script accepts user input through the class and Cc parameters, which are then directly processed by eval() without proper validation or sanitization. This creates a classic injection vulnerability where attacker-controlled data flows directly into the interpreter, bypassing all normal input validation mechanisms. The authentication bypass aspect is particularly concerning as the vendor acknowledges this component is intended for internal network use only, yet the implementation allows remote access to the vulnerable API endpoint, effectively removing the intended network boundary protection.
The operational impact of this vulnerability extends far beyond simple command execution, as it enables full system compromise of affected Asuswrt-Merlin devices. An attacker who successfully exploits this vulnerability can gain complete control over the router's operating system, potentially leading to persistent backdoors, network monitoring capabilities, or use of the device as a pivot point for attacks against other systems within the local network. The vulnerability affects devices running Asuswrt-Merlin firmware version 0.6.6 and potentially other versions that contain similar implementation flaws in the Merlin.PHP component. Given that many home and small office routers operate in unsecured environments, the risk of exploitation is significant, particularly when these devices are accessible from the internet or when network segmentation is inadequate.
Mitigation strategies for this vulnerability should prioritize network segmentation and access control measures, as the vendor's acknowledgment of intended internal use suggests that proper network isolation is critical to preventing exploitation. Organizations should implement strict firewall rules that restrict access to the vulnerable api.php endpoint to trusted internal networks only, and consider disabling the Merlin.PHP component entirely if it is not required for operations. Network monitoring should be enhanced to detect unusual command execution patterns or attempts to access the vulnerable URI, which would help identify potential exploitation attempts. The most effective long-term solution involves upgrading to firmware versions that either patch the vulnerability or remove the problematic eval() implementation, though this requires careful consideration of compatibility requirements and operational impact. Security teams should also consider implementing intrusion detection systems that can identify and block exploitation attempts targeting this specific vulnerability pattern.