feat(waf): Add CVE-2025-14528 router botnet detection

Add new router_botnet WAF category for IoT/router exploitation: CVE-2025-14528 (D-Link DIR-803 getcfg.php): - AUTHORIZED_GROUP parameter manipulation - SERVICES=DEVICE.ACCOUNT enumeration - Newline injection bypass (%0a, %0d) Additional router exploit patterns: - D-Link hedwig.cgi, HNAP, service.cgi RCE - UPnP SOAP injection - Goform command injection - ASUS/TP-Link/Netgear/Zyxel exploits Mirai-variant botnet scanner detection: - User-Agent signatures (Mirai, Hajime, Mozi, BotenaGo, etc.) - Router payload injection patterns Sources: CrowdSec Threat Intel, Global Security Mag Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-24 11:04:05 +01:00 · 2026-02-24 11:04:05 +01:00 · a469076297
commit a469076297
parent 4a972ab0ae
6 changed files with 118 additions and 8 deletions
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@ -3272,3 +3272,29 @@ git checkout HEAD -- index.html
      - `zkp-hamiltonian/include/zkp_types.h` (ZKP_MAX_N guard)
      - `luci-app-zkp/root/usr/libexec/rpcd/luci.zkp` (CLI flag fixes)

+
+44. **WAF CVE-2025-14528 Router Botnet Detection (2026-02-24)**
+    - Added new `router_botnet` WAF category for IoT/router exploitation attempts.
+    - **CVE-2025-14528 Detection:**
+      - D-Link DIR-803 getcfg.php credential leak
+      - AUTHORIZED_GROUP parameter manipulation
+      - Newline injection bypass (%0a, %0d)
+      - SERVICES=DEVICE.ACCOUNT enumeration
+    - **Additional Router Exploit Patterns:**
+      - D-Link hedwig.cgi, HNAP, service.cgi RCE
+      - UPnP SOAP injection
+      - Goform command injection
+      - ASUS infosvr/apply.cgi exploits
+      - TP-Link/Netgear command exec patterns
+      - Zyxel zhttpd shell injection
+    - **Mirai-Variant Botnet Scanner Detection:**
+      - User-Agent signatures: Mirai, Hajime, Mozi, BotenaGo, Gafgyt, etc.
+      - Router wget/curl payload injection
+      - Telnet enable attempts
+    - **Files Modified:**
+      - `secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json` (19 new patterns)
+      - `secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py`
+      - `secubox-app-mitmproxy/files/etc/config/mitmproxy`
+      - `secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync`
+    - **Sources:** [CrowdSec Threat Intel](https://www.crowdsec.net/vulntracking-report/cve-2025-14528), [Global Security Mag](https://www.globalsecuritymag.com/old-routers-new-botnets-active-exploitation-of-cve-2025-14528.html)
+
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@ -419,7 +419,9 @@
      "Bash(dd:*)",
      "Bash(gh release create:*)",
      "Bash(# Check if OpenWrt toolchain is available ls -la /home/reepost/CyberMindStudio/secubox-openwrt/secubox-tools/openwrt/)",
-      "Bash(# Create symlink in SDK feeds cd /home/reepost/CyberMindStudio/secubox-openwrt/secubox-tools/sdk ln -sf ../local-feed/zkp-hamiltonian/openwrt feeds/local/zkp-hamiltonian || true ls -la feeds/local/)"
+      "Bash(# Create symlink in SDK feeds cd /home/reepost/CyberMindStudio/secubox-openwrt/secubox-tools/sdk ln -sf ../local-feed/zkp-hamiltonian/openwrt feeds/local/zkp-hamiltonian || true ls -la feeds/local/)",
+      "WebFetch(domain:www.linkedin.com)",
+      "WebFetch(domain:www.crowdsec.net)"
    ]
  }
 }
--- a/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
+++ b/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
@ -196,8 +196,10 @@ config waf_rules 'waf_rules'
 	# Application-specific
 	option webmail '1'
 	option api_abuse '1'
-	# VoIP/XMPP protection (new)
+	# VoIP/XMPP protection
 	option voip '1'
 	option xmpp '1'
 	option cve_voip '1'
 	option cve_xmpp '1'
+	# Router/IoT botnet protection (CVE-2025-14528, Mirai variants)
+	option router_botnet '1'
--- a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
+++ b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
@ -215,6 +215,13 @@ BOT_SIGNATURES = [
    'seznambot', 'yandexbot', 'baiduspider', 'sogou',
    'bytespider', 'petalbot', 'dataforseo', 'serpstatbot',

+    # ==== IOT BOTNET SCANNERS (Mirai variants) ====
+    'mirai', 'hajime', 'mozi', 'botenago', 'gafgyt', 'bashlite',
+    'tsunami', 'xorddos', 'dofloo', 'enemybot', 'fodcha',
+    'zerobot', 'rondodox', 'satori', 'okiru', 'omni', 'owari',
+    'hello, world',  # common Mirai scanner probe
+    'iot_reaper', 'iot-reaper', 'reaper',
+
    # ==== EMPTY/SUSPICIOUS USER AGENTS ====
    # Note: Do NOT include 'mozilla/5.0' here - it's the standard prefix for ALL modern browsers!
    # Only flag clearly suspicious minimal/empty user agents
@ -539,6 +546,50 @@ CVE_PATTERNS = {
        r'/zimbraAdmin/', r'/zimlet/', r'/service/soap',
        r'\.php\?.*include', r'\.php\?.*require',
    ],
+    # CVE-2025-14528 (D-Link DIR-803 getcfg.php credential leak - Active Botnet Exploitation)
+    'CVE-2025-14528': [
+        r'/getcfg\.php.*AUTHORIZED_GROUP',
+        r'/getcfg\.php.*SERVICES=DEVICE\.ACCOUNT',
+        r'/getcfg\.php.*(%0a|%0d|\n|\r)',  # newline injection
+        r'/getcfg\.php\?',  # general probe
+    ],
+
+    # ============================================================================
+    # Router/IoT Botnet Vulnerabilities (Mirai, Mozi, BotenaGo variants)
+    # ============================================================================
+    'dlink_getcfg': [
+        r'/getcfg\.php',
+        r'/hedwig\.cgi',
+        r'/HNAP1/',
+        r'/service\.cgi.*(exec|system|passthru)',
+    ],
+    'router_rce': [
+        r'/goform/.*(cmd|system|exec)',
+        r'/cgi-bin/(firmwareupgrade|syscmd|syslog)',
+        r'/cgi-bin/zhttpd/.*shell',
+        r'/(setup|apply|syscmd).*wget.*\|',
+        r'/(setup|apply|syscmd).*curl.*\|',
+        r'/(setup|apply|syscmd).*telnetd',
+    ],
+    'upnp_soap': [
+        r'/(upnp|UPnP)/.*SOAP',
+        r'/soap\.cgi.*<SOAP-ENV',
+        r'/igd\.xml',
+    ],
+    'asus_router': [
+        r'/infosvr/',
+        r'/apply\.cgi.*action_mode',
+        r'/appGet\.cgi',
+    ],
+    'tplink_router': [
+        r'/userRpm/.*admin',
+        r'/cgi-bin/luci.*admin',
+    ],
+    'netgear_router': [
+        r'/cgi-bin/setup\.cgi.*syscmd',
+        r'/currentsetting\.htm',
+        r'/BRS_netgear_success\.html',
+    ],

    # ============================================================================
    # CMS-Specific Vulnerabilities
--- a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json
+++ b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json
@ -1,8 +1,8 @@
 {
  "_meta": {
-    "version": "1.1.0",
-    "updated": "2026-02-19",
-    "sources": ["OWASP Top 10", "CERT advisories", "CVE database", "VoIP Security Research", "XMPP Standards Foundation"]
+    "version": "1.2.0",
+    "updated": "2026-02-24",
+    "sources": ["OWASP Top 10", "CERT advisories", "CVE database", "VoIP Security Research", "XMPP Standards Foundation", "CrowdSec Threat Intel"]
  },
  
  "categories": {
@ -13,7 +13,7 @@
      "owasp": "A03:2021",
      "patterns": [
        {"id": "sqli-001", "pattern": "union\\s+(all\\s+)?select", "desc": "UNION-based injection"},
-        {"id": "sqli-002", "pattern": "[\x27\x22]\\s*(or|and)\\s*[\x27\x22]?\\d", "desc": "Boolean-based injection"},
+        {"id": "sqli-002", "pattern": "['\"]\\s*(or|and)\\s*['\"]?\\d", "desc": "Boolean-based injection"},
        {"id": "sqli-003", "pattern": "(sleep|benchmark|waitfor|pg_sleep)\\s*\\(", "desc": "Time-based blind injection"},
        {"id": "sqli-004", "pattern": "information_schema\\.", "desc": "Schema enumeration"},
        {"id": "sqli-005", "pattern": "(load_file|into\\s+outfile|into\\s+dumpfile)", "desc": "File operations"},
@ -102,7 +102,7 @@
      "patterns": [
        {"id": "mail-001", "pattern": "\\.\\./(config|db|data)", "desc": "Roundcube path traversal"},
        {"id": "mail-002", "pattern": "_action=(upload|import).*\\.(php|phtml)", "desc": "Malicious upload"},
-        {"id": "mail-003", "pattern": "_uid=.*[\\x27\\x22<>]", "desc": "XSS in mail UID"},
+        {"id": "mail-003", "pattern": "_uid=.*['\"><>]", "desc": "XSS in mail UID"},
        {"id": "mail-004", "pattern": "installer/", "desc": "Installer access attempt"},
        {"id": "mail-005", "pattern": "(temp|logs)/.*\\.(php|sh|pl)", "desc": "Script in temp/logs"}
      ]
@ -189,6 +189,33 @@
        {"id": "cve-xmpp-2021-21351", "pattern": "XMPPframework.*<iq.*<enable.*xmlns=[\"'].*push", "desc": "XMPP push auth bypass"},
        {"id": "cve-tigase-2023-39350", "pattern": "/rest/adhoc/.*sess-man.*user-add", "desc": "Tigase unauth user creation", "cve": "CVE-2023-39350"}
      ]
+    },
+
+    "router_botnet": {
+      "name": "Router/IoT Botnet Exploits",
+      "severity": "critical",
+      "enabled": true,
+      "patterns": [
+        {"id": "cve-2025-14528", "pattern": "/getcfg\\.php.*AUTHORIZED_GROUP", "desc": "D-Link getcfg.php credential leak", "cve": "CVE-2025-14528"},
+        {"id": "cve-2025-14528-srv", "pattern": "/getcfg\\.php.*SERVICES=DEVICE\\.ACCOUNT", "desc": "D-Link DEVICE.ACCOUNT enumeration", "cve": "CVE-2025-14528"},
+        {"id": "cve-2025-14528-nl", "pattern": "/getcfg\\.php.*(%0a|%0d|\\n|\\r)", "desc": "D-Link getcfg newline injection", "cve": "CVE-2025-14528"},
+        {"id": "dlink-getcfg", "pattern": "/getcfg\\.php\\?", "desc": "D-Link getcfg.php probe (botnet recon)"},
+        {"id": "dlink-hedwig", "pattern": "/hedwig\\.cgi", "desc": "D-Link Hedwig command injection"},
+        {"id": "dlink-hnap", "pattern": "/HNAP1/", "desc": "D-Link HNAP protocol abuse"},
+        {"id": "dlink-service", "pattern": "/service\\.cgi.*(exec|system|passthru)", "desc": "D-Link service.cgi RCE"},
+        {"id": "router-upnp-soap", "pattern": "/(upnp|UPnP)/.*<SOAP-ENV", "desc": "UPnP SOAP injection"},
+        {"id": "router-setup-cgi", "pattern": "/setup\\.cgi.*next_file=", "desc": "Router setup.cgi traversal"},
+        {"id": "router-goform", "pattern": "/goform/.*\\$\\(|`|;", "desc": "Router goform command injection"},
+        {"id": "router-cgi-bin", "pattern": "/cgi-bin/(firmwareupgrade|upgrade|syscmd|syslog)", "desc": "Router sensitive CGI access"},
+        {"id": "router-admin-pw", "pattern": "/userRpm/.*admin.*password", "desc": "Router admin password access"},
+        {"id": "tplink-cgi", "pattern": "/cgi-bin/luci.*;.*admin", "desc": "TP-Link LuCI injection"},
+        {"id": "netgear-cgi", "pattern": "/cgi-bin/.*setup\\.cgi.*syscmd", "desc": "Netgear setup.cgi command exec"},
+        {"id": "asus-infosvr", "pattern": "/(infosvr|apply\\.cgi).*action_mode", "desc": "ASUS router command exec"},
+        {"id": "mirai-scan", "pattern": "User-Agent:.*(Mirai|Hajime|Mozi|BotenaGo)", "desc": "Mirai-variant botnet scanner", "check": "user-agent"},
+        {"id": "router-telnet-enable", "pattern": "/(syscmd|system_cmd).*telnetd", "desc": "Router telnet enable attempt"},
+        {"id": "router-wget-inject", "pattern": "/(setup|apply|cmd).*wget.*\\|", "desc": "Router wget payload injection"},
+        {"id": "zyxel-zhttpd", "pattern": "/cgi-bin/zhttpd/.*shell", "desc": "Zyxel zhttpd shell injection"}
+      ]
    }
  }
 }
--- a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync
+++ b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync
@ -17,6 +17,7 @@ voip=$(uci -q get mitmproxy.waf_rules.voip || echo 1)
 xmpp=$(uci -q get mitmproxy.waf_rules.xmpp || echo 1)
 cve_voip=$(uci -q get mitmproxy.waf_rules.cve_voip || echo 1)
 cve_xmpp=$(uci -q get mitmproxy.waf_rules.cve_xmpp || echo 1)
+router_botnet=$(uci -q get mitmproxy.waf_rules.router_botnet || echo 1)

 # Convert to JSON booleans
 to_bool() { [ "$1" = "1" ] && echo "true" || echo "false"; }
@ -36,7 +37,8 @@ cat > "$CONFIG_FILE" << EOF
    "voip": $(to_bool $voip),
    "xmpp": $(to_bool $xmpp),
    "cve_voip": $(to_bool $cve_voip),
-    "cve_xmpp": $(to_bool $cve_xmpp)
+    "cve_xmpp": $(to_bool $cve_xmpp),
+    "router_botnet": $(to_bool $router_botnet)
  }
 }
 EOF