Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

From: Maor Shwartz <maors () beyondsecurity com>
Date: Mon, 22 Jan 2018 14:00:06 +0200
SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

Full report: https://blogs.securiteam.com/index.php/archives/3589
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in AsusWRT
Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to
LAN remote command execution on any Asus router.

AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT
graphical user interface gives you easy access to the 30-second, 3-step
web-based installation process. It’s also where you can configure AiCloud
2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a
separate app, or restrict what you can change via mobile devices — you get
full access to everything, from any device that can run a web browser”

The vulnerabilities found are:

Access bypass
Configuration manipulation

Credit
An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com),
has reported this vulnerability to Beyond Security’s SecuriTeam Secure
Disclosure program.

Vendor response
Asus were informed of the vulnerabilities and released patches to address
them (version 3.0.0.4.384_10007).

For more details:
https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/

Vulnerabilities details
The AsusWRT handle_request() code allows an unauthenticated user to perform
a POST request for certain actions.

AsusWRT_source/router/httpd/httpd.c:

===

handle_request(void)

{

...

handler->auth(auth_userid, auth_passwd, auth_realm);

auth_result = auth_check(auth_realm, authorization, url, file, cookies,
fromapp);


if (auth_result != 0)                                     <--- auth fails

{

if(strcasecmp(method, "post") == 0){

if (handler->input) {

handler->input(file, conn_fp, cl, boundary);        <--- but POST request
is still processed

}

send_login_page(fromapp, auth_result, NULL, NULL, 0);

}

//if(!fromapp) http_logout(login_ip_tmp, cookies);

return;

}

...

}

===

By POSTing to vpnupload.cgi, we invoke do_vpnupload_post(), which sets
NVRAM configuration values directly from the request.

AsusWRT_source/router/httpd/web.c:

===

do_vpnupload_post(char *url, FILE *stream, int len, char *boundary)

{

...

if (!strncasecmp(post_buf, "Content-Disposition:", 20)) {

if(strstr(post_buf, "name=\"file\""))

break;

else if(strstr(post_buf, "name=\"")) {

offset = strlen(post_buf);

fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);

len -= strlen(post_buf) - offset;

offset = strlen(post_buf);

fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);

len -= strlen(post_buf) - offset;

p = post_buf;

name = strstr(p, "\"") + 1;

p = strstr(name, "\"");

strcpy(p++, "\0");

value = strstr(p, "\r\n\r\n") + 4;

p = strstr(value, "\r");

strcpy(p, "\0");

//printf("%s=%s\n", name, value);

nvram_set(name, value);

}

}

...

}

===

An attacker can trigger the vulnerabilities and reset the admin password.

Once that is done, the attacker can login to the web interface with the new
password, enable SSH, reboot the router and login via SSH.

Another option is to abuse infosvr, which is a UDP daemon running on port
9999.

The daemon has a command mode which is only enabled if ateCommand_flag is
set to 1.

This flag is only enabled in very special cases, but we can enable it using
the VPN configuration upload technique described above.

Once that is done, all we need to do is send a PKT_SYSCMD to infosvr.

The daemon will read a command from the packet and execute it as root.

===

Packet structure (from AsusWRT_source/router/shared/iboxcom.h):

- Header

  typedef struct iboxPKTEx

  {

    BYTE ServiceID;

    BYTE PacketType;

    WORD OpCode;

    DWORD Info; // Or Transaction ID

    BYTE MacAddress[6];

    BYTE Password[32];   //NULL terminated string, string length:1~31,
cannot be NULL string

  } ibox_comm_pkt_hdr_ex;


- Body

  typedef struct iboxPKTCmd

  {

    WORD len;

    BYTE cmd[420];

  } PKT_SYSCMD; // total 422 bytes

===

--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Attachment: SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution.pdf
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: