Hacking the Hacker: Researcher Found Critical Flaw (CVE-2024-45163) in Mirai Botnet

Mirai botnet - CVE-2024-45163
Image: Fortinet

Security researcher Jacob Masse has exposed a critical vulnerability within the Mirai botnet, the infamous malware that has plagued the Internet of Things (IoT) and server landscapes since 2016. Designated CVE-2024-45163 (CVSS 9.1), the flaw allows for remote denial-of-service (DoS) attacks against the botnet’s command and control (CNC) servers, potentially crippling the botnet’s operations.

Mirai’s infamy stems from its ability to compromise a vast number of devices, particularly consumer electronics like IP cameras and home routers. By exploiting weak default passwords and other known vulnerabilities, Mirai conscripts these devices into a botnet—a massive network of “zombies” that can be commanded to launch DDoS attacks, send spam, or engage in other malicious activities. The CNC server plays a pivotal role in this process, acting as the command hub where botnet operators coordinate their attacks. Disrupting this server can effectively neuter the botnet, rendering its army of zombies powerless.

Jacob Masse’s journey to uncover this vulnerability began as a personal challenge but quickly evolved into a detailed research project focusing on the inner workings of botnets. His investigation led him to the CNC server, the beating heart of any botnet. Through a combination of source code analysis, reverse engineering, and persistent experimentation, Masse identified a flaw in how Mirai CNC servers handle incoming connections, particularly in the pre-authenticated phase.

The vulnerability, CVE-2024-45163, stems from the server’s poor management of concurrent connection requests. When an attacker opens numerous connections to the CNC server and sends a simple authentication request—using a username like ‘root’—the server fails to manage these connections properly. This overloads the server’s session buffer, leading to resource exhaustion and, ultimately, a server crash. Remarkably, this exploit requires no authentication, making it easy to execute remotely.

The implications of CVE-2024-45163 are far-reaching:

  • Botnet Disruption: Successfully exploiting this vulnerability could disable a Mirai botnet’s command and control capabilities, effectively rendering it inert and protecting potential targets from attacks.
  • Law Enforcement Opportunities: Law enforcement agencies could potentially leverage this exploit in large-scale operations to dismantle Mirai botnets and disrupt their malicious activities.
  • Ethical Considerations: Companies conducting controlled botnet testing for security purposes might face unexpected disruptions due to this exploit.

Masse has demonstrated the efficacy of this exploit through a proof-of-concept (PoC) scenario. In his demo, a server with minimal resources—a single CPU core, 1 GB of RAM, and 25 GB of storage—was used to take down a Mirai CNC server in a controlled environment. All it takes is opening a few connections and sending an authentication request. Once the exploit is in play, the CNC server is effectively offline, and the attacker’s system resources return to normal, allowing the attack to persist in the background.

For those interested in the technical details, Masse has shared the exploit code on Pastebin, making it accessible to cybersecurity researchers and ethical hackers alike.

Related Posts: