From a4690762972312140cb02673b6da9b2f9b1fb1d4 Mon Sep 17 00:00:00 2001
From: CyberMind-FR <gandalf@Gk2.net>
Date: Tue, 24 Feb 2026 11:04:05 +0100
Subject: [PATCH] feat(waf): Add CVE-2025-14528 router botnet detection

Add new router_botnet WAF category for IoT/router exploitation:

CVE-2025-14528 (D-Link DIR-803 getcfg.php):
- AUTHORIZED_GROUP parameter manipulation
- SERVICES=DEVICE.ACCOUNT enumeration
- Newline injection bypass (%0a, %0d)

Additional router exploit patterns:
- D-Link hedwig.cgi, HNAP, service.cgi RCE
- UPnP SOAP injection
- Goform command injection
- ASUS/TP-Link/Netgear/Zyxel exploits

Mirai-variant botnet scanner detection:
- User-Agent signatures (Mirai, Hajime, Mozi, BotenaGo, etc.)
- Router payload injection patterns

Sources: CrowdSec Threat Intel, Global Security Mag

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .claude/HISTORY.md                            | 26 ++++++++++
 .claude/settings.local.json                   |  4 +-
 .../files/etc/config/mitmproxy                |  4 +-
 .../srv/mitmproxy/addons/secubox_analytics.py | 51 +++++++++++++++++++
 .../files/srv/mitmproxy/waf-rules.json        | 37 ++++++++++++--
 .../files/usr/sbin/mitmproxy-waf-sync         |  4 +-
 6 files changed, 118 insertions(+), 8 deletions(-)

diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md
index 6a130d78..03186be5 100644
--- a/.claude/HISTORY.md
+++ b/.claude/HISTORY.md
@@ -3272,3 +3272,29 @@ git checkout HEAD -- index.html
       - `zkp-hamiltonian/include/zkp_types.h` (ZKP_MAX_N guard)
       - `luci-app-zkp/root/usr/libexec/rpcd/luci.zkp` (CLI flag fixes)
 
+
+44. **WAF CVE-2025-14528 Router Botnet Detection (2026-02-24)**
+    - Added new `router_botnet` WAF category for IoT/router exploitation attempts.
+    - **CVE-2025-14528 Detection:**
+      - D-Link DIR-803 getcfg.php credential leak
+      - AUTHORIZED_GROUP parameter manipulation
+      - Newline injection bypass (%0a, %0d)
+      - SERVICES=DEVICE.ACCOUNT enumeration
+    - **Additional Router Exploit Patterns:**
+      - D-Link hedwig.cgi, HNAP, service.cgi RCE
+      - UPnP SOAP injection
+      - Goform command injection
+      - ASUS infosvr/apply.cgi exploits
+      - TP-Link/Netgear command exec patterns
+      - Zyxel zhttpd shell injection
+    - **Mirai-Variant Botnet Scanner Detection:**
+      - User-Agent signatures: Mirai, Hajime, Mozi, BotenaGo, Gafgyt, etc.
+      - Router wget/curl payload injection
+      - Telnet enable attempts
+    - **Files Modified:**
+      - `secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json` (19 new patterns)
+      - `secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py`
+      - `secubox-app-mitmproxy/files/etc/config/mitmproxy`
+      - `secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync`
+    - **Sources:** [CrowdSec Threat Intel](https://www.crowdsec.net/vulntracking-report/cve-2025-14528), [Global Security Mag](https://www.globalsecuritymag.com/old-routers-new-botnets-active-exploitation-of-cve-2025-14528.html)
+
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index 9d4991f5..cde3b8fe 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -419,7 +419,9 @@
       "Bash(dd:*)",
       "Bash(gh release create:*)",
       "Bash(# Check if OpenWrt toolchain is available ls -la /home/reepost/CyberMindStudio/secubox-openwrt/secubox-tools/openwrt/)",
-      "Bash(# Create symlink in SDK feeds cd /home/reepost/CyberMindStudio/secubox-openwrt/secubox-tools/sdk ln -sf ../local-feed/zkp-hamiltonian/openwrt feeds/local/zkp-hamiltonian || true ls -la feeds/local/)"
+      "Bash(# Create symlink in SDK feeds cd /home/reepost/CyberMindStudio/secubox-openwrt/secubox-tools/sdk ln -sf ../local-feed/zkp-hamiltonian/openwrt feeds/local/zkp-hamiltonian || true ls -la feeds/local/)",
+      "WebFetch(domain:www.linkedin.com)",
+      "WebFetch(domain:www.crowdsec.net)"
     ]
   }
 }
diff --git a/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy b/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
index f254d219..94478ce6 100644
--- a/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
+++ b/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
@@ -196,8 +196,10 @@ config waf_rules 'waf_rules'
 	# Application-specific
 	option webmail '1'
 	option api_abuse '1'
-	# VoIP/XMPP protection (new)
+	# VoIP/XMPP protection
 	option voip '1'
 	option xmpp '1'
 	option cve_voip '1'
 	option cve_xmpp '1'
+	# Router/IoT botnet protection (CVE-2025-14528, Mirai variants)
+	option router_botnet '1'
diff --git a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
index 0c9e8fbc..de1be63c 100644
--- a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
+++ b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/addons/secubox_analytics.py
@@ -215,6 +215,13 @@ BOT_SIGNATURES = [
     'seznambot', 'yandexbot', 'baiduspider', 'sogou',
     'bytespider', 'petalbot', 'dataforseo', 'serpstatbot',
 
+    # ==== IOT BOTNET SCANNERS (Mirai variants) ====
+    'mirai', 'hajime', 'mozi', 'botenago', 'gafgyt', 'bashlite',
+    'tsunami', 'xorddos', 'dofloo', 'enemybot', 'fodcha',
+    'zerobot', 'rondodox', 'satori', 'okiru', 'omni', 'owari',
+    'hello, world',  # common Mirai scanner probe
+    'iot_reaper', 'iot-reaper', 'reaper',
+
     # ==== EMPTY/SUSPICIOUS USER AGENTS ====
     # Note: Do NOT include 'mozilla/5.0' here - it's the standard prefix for ALL modern browsers!
     # Only flag clearly suspicious minimal/empty user agents
@@ -539,6 +546,50 @@ CVE_PATTERNS = {
         r'/zimbraAdmin/', r'/zimlet/', r'/service/soap',
         r'\.php\?.*include', r'\.php\?.*require',
     ],
+    # CVE-2025-14528 (D-Link DIR-803 getcfg.php credential leak - Active Botnet Exploitation)
+    'CVE-2025-14528': [
+        r'/getcfg\.php.*AUTHORIZED_GROUP',
+        r'/getcfg\.php.*SERVICES=DEVICE\.ACCOUNT',
+        r'/getcfg\.php.*(%0a|%0d|\n|\r)',  # newline injection
+        r'/getcfg\.php\?',  # general probe
+    ],
+
+    # ============================================================================
+    # Router/IoT Botnet Vulnerabilities (Mirai, Mozi, BotenaGo variants)
+    # ============================================================================
+    'dlink_getcfg': [
+        r'/getcfg\.php',
+        r'/hedwig\.cgi',
+        r'/HNAP1/',
+        r'/service\.cgi.*(exec|system|passthru)',
+    ],
+    'router_rce': [
+        r'/goform/.*(cmd|system|exec)',
+        r'/cgi-bin/(firmwareupgrade|syscmd|syslog)',
+        r'/cgi-bin/zhttpd/.*shell',
+        r'/(setup|apply|syscmd).*wget.*\|',
+        r'/(setup|apply|syscmd).*curl.*\|',
+        r'/(setup|apply|syscmd).*telnetd',
+    ],
+    'upnp_soap': [
+        r'/(upnp|UPnP)/.*SOAP',
+        r'/soap\.cgi.*<SOAP-ENV',
+        r'/igd\.xml',
+    ],
+    'asus_router': [
+        r'/infosvr/',
+        r'/apply\.cgi.*action_mode',
+        r'/appGet\.cgi',
+    ],
+    'tplink_router': [
+        r'/userRpm/.*admin',
+        r'/cgi-bin/luci.*admin',
+    ],
+    'netgear_router': [
+        r'/cgi-bin/setup\.cgi.*syscmd',
+        r'/currentsetting\.htm',
+        r'/BRS_netgear_success\.html',
+    ],
 
     # ============================================================================
     # CMS-Specific Vulnerabilities
diff --git a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json
index d6caa976..f321e309 100644
--- a/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json
+++ b/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json
@@ -1,8 +1,8 @@
 {
   "_meta": {
-    "version": "1.1.0",
-    "updated": "2026-02-19",
-    "sources": ["OWASP Top 10", "CERT advisories", "CVE database", "VoIP Security Research", "XMPP Standards Foundation"]
+    "version": "1.2.0",
+    "updated": "2026-02-24",
+    "sources": ["OWASP Top 10", "CERT advisories", "CVE database", "VoIP Security Research", "XMPP Standards Foundation", "CrowdSec Threat Intel"]
   },
   
   "categories": {
@@ -13,7 +13,7 @@
       "owasp": "A03:2021",
       "patterns": [
         {"id": "sqli-001", "pattern": "union\\s+(all\\s+)?select", "desc": "UNION-based injection"},
-        {"id": "sqli-002", "pattern": "[\x27\x22]\\s*(or|and)\\s*[\x27\x22]?\\d", "desc": "Boolean-based injection"},
+        {"id": "sqli-002", "pattern": "['\"]\\s*(or|and)\\s*['\"]?\\d", "desc": "Boolean-based injection"},
         {"id": "sqli-003", "pattern": "(sleep|benchmark|waitfor|pg_sleep)\\s*\\(", "desc": "Time-based blind injection"},
         {"id": "sqli-004", "pattern": "information_schema\\.", "desc": "Schema enumeration"},
         {"id": "sqli-005", "pattern": "(load_file|into\\s+outfile|into\\s+dumpfile)", "desc": "File operations"},
@@ -102,7 +102,7 @@
       "patterns": [
         {"id": "mail-001", "pattern": "\\.\\./(config|db|data)", "desc": "Roundcube path traversal"},
         {"id": "mail-002", "pattern": "_action=(upload|import).*\\.(php|phtml)", "desc": "Malicious upload"},
-        {"id": "mail-003", "pattern": "_uid=.*[\\x27\\x22<>]", "desc": "XSS in mail UID"},
+        {"id": "mail-003", "pattern": "_uid=.*['\"><>]", "desc": "XSS in mail UID"},
         {"id": "mail-004", "pattern": "installer/", "desc": "Installer access attempt"},
         {"id": "mail-005", "pattern": "(temp|logs)/.*\\.(php|sh|pl)", "desc": "Script in temp/logs"}
       ]
@@ -189,6 +189,33 @@
         {"id": "cve-xmpp-2021-21351", "pattern": "XMPPframework.*<iq.*<enable.*xmlns=[\"'].*push", "desc": "XMPP push auth bypass"},
         {"id": "cve-tigase-2023-39350", "pattern": "/rest/adhoc/.*sess-man.*user-add", "desc": "Tigase unauth user creation", "cve": "CVE-2023-39350"}
       ]
+    },
+
+    "router_botnet": {
+      "name": "Router/IoT Botnet Exploits",
+      "severity": "critical",
+      "enabled": true,
+      "patterns": [
+        {"id": "cve-2025-14528", "pattern": "/getcfg\\.php.*AUTHORIZED_GROUP", "desc": "D-Link getcfg.php credential leak", "cve": "CVE-2025-14528"},
+        {"id": "cve-2025-14528-srv", "pattern": "/getcfg\\.php.*SERVICES=DEVICE\\.ACCOUNT", "desc": "D-Link DEVICE.ACCOUNT enumeration", "cve": "CVE-2025-14528"},
+        {"id": "cve-2025-14528-nl", "pattern": "/getcfg\\.php.*(%0a|%0d|\\n|\\r)", "desc": "D-Link getcfg newline injection", "cve": "CVE-2025-14528"},
+        {"id": "dlink-getcfg", "pattern": "/getcfg\\.php\\?", "desc": "D-Link getcfg.php probe (botnet recon)"},
+        {"id": "dlink-hedwig", "pattern": "/hedwig\\.cgi", "desc": "D-Link Hedwig command injection"},
+        {"id": "dlink-hnap", "pattern": "/HNAP1/", "desc": "D-Link HNAP protocol abuse"},
+        {"id": "dlink-service", "pattern": "/service\\.cgi.*(exec|system|passthru)", "desc": "D-Link service.cgi RCE"},
+        {"id": "router-upnp-soap", "pattern": "/(upnp|UPnP)/.*<SOAP-ENV", "desc": "UPnP SOAP injection"},
+        {"id": "router-setup-cgi", "pattern": "/setup\\.cgi.*next_file=", "desc": "Router setup.cgi traversal"},
+        {"id": "router-goform", "pattern": "/goform/.*\\$\\(|`|;", "desc": "Router goform command injection"},
+        {"id": "router-cgi-bin", "pattern": "/cgi-bin/(firmwareupgrade|upgrade|syscmd|syslog)", "desc": "Router sensitive CGI access"},
+        {"id": "router-admin-pw", "pattern": "/userRpm/.*admin.*password", "desc": "Router admin password access"},
+        {"id": "tplink-cgi", "pattern": "/cgi-bin/luci.*;.*admin", "desc": "TP-Link LuCI injection"},
+        {"id": "netgear-cgi", "pattern": "/cgi-bin/.*setup\\.cgi.*syscmd", "desc": "Netgear setup.cgi command exec"},
+        {"id": "asus-infosvr", "pattern": "/(infosvr|apply\\.cgi).*action_mode", "desc": "ASUS router command exec"},
+        {"id": "mirai-scan", "pattern": "User-Agent:.*(Mirai|Hajime|Mozi|BotenaGo)", "desc": "Mirai-variant botnet scanner", "check": "user-agent"},
+        {"id": "router-telnet-enable", "pattern": "/(syscmd|system_cmd).*telnetd", "desc": "Router telnet enable attempt"},
+        {"id": "router-wget-inject", "pattern": "/(setup|apply|cmd).*wget.*\\|", "desc": "Router wget payload injection"},
+        {"id": "zyxel-zhttpd", "pattern": "/cgi-bin/zhttpd/.*shell", "desc": "Zyxel zhttpd shell injection"}
+      ]
     }
   }
 }
diff --git a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync
index 461fd375..f381cbeb 100755
--- a/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync
+++ b/package/secubox/secubox-app-mitmproxy/files/usr/sbin/mitmproxy-waf-sync
@@ -17,6 +17,7 @@ voip=$(uci -q get mitmproxy.waf_rules.voip || echo 1)
 xmpp=$(uci -q get mitmproxy.waf_rules.xmpp || echo 1)
 cve_voip=$(uci -q get mitmproxy.waf_rules.cve_voip || echo 1)
 cve_xmpp=$(uci -q get mitmproxy.waf_rules.cve_xmpp || echo 1)
+router_botnet=$(uci -q get mitmproxy.waf_rules.router_botnet || echo 1)
 
 # Convert to JSON booleans
 to_bool() { [ "$1" = "1" ] && echo "true" || echo "false"; }
@@ -36,7 +37,8 @@ cat > "$CONFIG_FILE" << EOF
     "voip": $(to_bool $voip),
     "xmpp": $(to_bool $xmpp),
     "cve_voip": $(to_bool $cve_voip),
-    "cve_xmpp": $(to_bool $cve_xmpp)
+    "cve_xmpp": $(to_bool $cve_xmpp),
+    "router_botnet": $(to_bool $router_botnet)
   }
 }
 EOF