RMerlin builds vulnerable to CVE-3013-6343?

[robvanhooren]

comments on whether RMerlin's build is vulnerable (or patched-in vXXX)?

thx.

R.

---
fyi ac66u n56u v3.0.0.4.374_979

asus -- rt-ac66u_firmware

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6343

Multiple buffer overflows in web.c in httpd on the ASUS RT-N56U and RT-AC66U routers with firmware 3.0.0.4.374_979 allow remote attackers to execute arbitrary code via the (1) apps_name or (2) apps_flag parameter to APP_Installation.asp.
2014-01-22 10.0 CVE-2013-6343

 

[jim769]

I wonder if Merlin knows if this is still a issue or not.

 

[RMerlin]

I wonder if Merlin knows if this is still a issue or not.

Can't say since, as usual, they provide no useful info. Hell, they didn't bother to do something might have been actually useful, like, test the latest version, and then advise users to update to said version to protect themselves. Sensationalism over usefulness, as usual...

The proof of concept Python script didn't work for me, it ended with a vague

[!!!] ERROR! <class 'httplib.BadStatusLine'> '' [!!!]

after sending its payload. So either it has been fixed long ago (979 code is about three months old now, after all), or their proof of concept is broken.