Chaining RCEs and Kernel Persistence on DrayTek Vigor Routers

TLDR: Researchers at DEF CON 2025 demonstrated a full-chain exploit against DrayTek Vigor routers, moving from a pre-authentication CGI buffer overflow to kernel-level persistence. By chaining CVE-2024-51138 and CVE-2024-51139, attackers can bypass authentication and install backdoored modules that survive reboots and firmware updates. Pentesters should audit these devices for exposed management interfaces and use the draytek-arsenal toolkit to identify similar vulnerabilities in their own environments.

DrayTek Vigor routers are ubiquitous in small-to-medium enterprise networks, often serving as the primary gateway for critical infrastructure. Because these devices frequently sit at the edge of the network, they are prime targets for Injection attacks. The research presented at DEF CON 2025 proves that once an attacker gains a foothold in the CGI request parser, the entire security model of the device collapses. This is not just about a single crash; it is about a complete chain that leads to permanent, undetectable persistence.

The Anatomy of the Chain

The research centers on the GetCGI function, which handles incoming HTTP requests. The researchers identified that this function is fundamentally flawed in how it processes query string parameters. By sending a crafted request, an attacker can trigger a stack-based buffer overflow. This is the entry point. However, the researchers did not stop at code execution. They identified a second, more powerful vulnerability: an integer overflow in the same GetCGI function that, when combined with the device's slab allocator, allows for an arbitrary write primitive.

The integer overflow occurs because the router uses signed integers to handle content length. By setting the content length to the maximum 32-bit signed integer, the subsequent call to malloc results in a negative value, which the allocator interprets as a request for a very small memory block. This forces the application to write data into a cache meant for 24-byte objects, effectively turning an integer overflow into a heap-based buffer overflow.

Exploiting the MIPS Architecture

Because these routers run on MIPS architecture, the exploitation process requires a deep understanding of how the processor handles exceptions. When an exception occurs, the router jumps to a general handler, which uses a table of pointers to determine how to proceed. The researchers discovered they could use their arbitrary write primitive to overwrite an entry in this exception handler table.

By pointing the handler to a location in memory they control—specifically a low-level network reception buffer—they can redirect the execution flow. The payload is simple: a shellcode that changes the admin password. Once the password is changed, the attacker has full, authenticated access to the device.

# Example of the heap overflow trigger via curl
curl -X POST -H "Content-Length: 2147483647" -d "payload_here" http://<router_ip>/cgi-bin/login.cgi

Achieving Kernel-Level Persistence

The most dangerous aspect of this research is the method of persistence. DrayTek routers support Dynamically Loadable Modules (DLMs), which are kernel modules loaded during the boot process to provide extra functionality. These modules are stored in a separate partition on the flash memory, meaning they are not wiped during a standard firmware update or a factory reset.

The researchers reverse-engineered the module decryption and compression algorithms, which use a modified version of XTEA and LZ4, respectively. By creating their own de-compressor and de-encryptor, they were able to modify an existing DLM to include a backdoored SSH daemon. When the router reboots, it loads this malicious module with higher priority than the legitimate one, effectively granting the attacker a permanent, hidden backdoor.

Practical Implications for Pentesters

If you are performing a penetration test on a network using DrayTek hardware, you should immediately check for exposed management interfaces. The attack surface is not limited to the web UI; the TR069 STUN protocol implementation is also vulnerable. The draytek-arsenal tool released by the researchers is essential for anyone looking to automate the extraction and analysis of these firmware images.

For those interested in the broader implications of this research, it is worth noting that the researchers have moved on to automotive security, releasing EvilDoggie, a modular CAN bus research tool. This shift highlights a common trend in hardware security research: once a specific vendor's ecosystem is thoroughly picked apart, the focus shifts to more complex, high-impact targets.

Defenders must prioritize patching these devices, but they should also assume that any device that has been exposed to the internet for an extended period may already be compromised at the kernel level. A firmware update might not be enough if the attacker has already installed a persistent, backdoored module. In such cases, a complete re-imaging of the device from a known-good source is the only way to ensure the integrity of the system. The "missing link" in this chain was the assumption that firmware updates would clear out malicious modifications, an assumption that this research has effectively dismantled.