lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Apr 2014 15:08:49 -0300
From: Palula Brasil <palulabrasil@...il.com>
To: Full Disclosure <fulldisclosure@...lists.org>
Subject: [FD] Reflected Cross-Site Scripting within the ASUS RT-AC68U
	Managing Web Interface

=====[Alligator Security Team - Security Advisory]============================

  Reflected Cross-Site Scripting within the ASUS RT-AC68U Managing Web Interface

  Author: Joaquim Brasil de Oliveira  < palulabrasil () gmail com >
                                      < twitter.com/palulabr >

=====[Table of Contents]======================================================

1. Overview
2. Detailed description
3. Other contexts & solutions
4. Timeline
5. References

=====[1. Overview]============================================================

* Systems affected: ASUS RT-AC68U web interface - 3.0.0.4.374.4755 (verified)
                                                - 3.0.0.4.374_4887 (verified)
                                                - 3.0.0.4.374_4983 (verified)
                                             (other versions may be affected)

* Release date: 04/04/2014
* Impact: This vulnerability allows for performing attacks against third party
          users of the ASUS RT-AC68U web management platform, by luring them
          into clicking on a link provided with malicious content, which in
          turn, will execute on the context of the victim's browser.

The ASUS RT-AC68U is the world's fastest Wi-Fi router, with combined dual-band
data rates of up to 1900 Mbps. 1300 Mbps 802.11ac at 5 GHz gives Gigabit
wireless data rates, while Broadcom(R) TurboQAM(tm) technology super-charges 2.4 Ghz
802.11n performance from 450 Mbps to 600 Mbps with compatible devices[1].

=====[2. Detailed description]================================================

The ASUS RT-AC68U router has a web interface management tool designed to
graphically assist users in configuring various features and/or diagnosing
problems. However, there is a bug with the "Wireless" tab of this web management
interface that results in the possibility for an attacker to execute malicious
content within another user's browser by luring this given user (victim) into
visiting a specially crafted link.

Furthermore, in order to exploit this bug, the attacker needs to send the
following malicious link to the victim --- e.g: the router administrator:

https://[router's IP
address]/apply.cgi?next_page=Advanced_Wireless_Content.asp&current_page="><script>alert('XSS')</script><"&action_mode=change_wl_unit

When the victim clicks on the aforementioned link, because of the fact that the
"current_page" parameter is susceptible to refelected cross-site scripting
attacks, the malicious code stated in the given parameter will be executed ---
in this specific proof of concept, the code will trigger an alert box --- within
the victim's browser context.

This bug occurs because ASUS web management interface poorly validates data
output. Therefore, given the fact that HTML/Javascript code is interpreted by
browsers, the malicious code supplied by the attacker will be rendered in the
victim's browser.

It is important to mention that even if the victim is not logged in, whenever an
attacker sends the malicious link to her, the web management platform will
provide the authentication interface, and after that, redirect the victim to the
malicious target. So in order to exploit this vulnerability, the only
information the attacker needs to know, is a valid user within the system (e.g:
the router's administrator).

=====[3. Other contexts & solutions]==========================================

In order to erradicate this problem, it is imperative that the the server
enforces data output validation.

An additional measure regards filtering data input. Therefore, by applying both
these measures, all data input provided by third parties will be validated and
all data being ouputted by the server will also be validated.

=====[4. Timeline]============================================================

03/31/2014 - ASUS was contacted;
04/02/2014 - ASUS pushed a new beta firmware release (3.0.0.4.374_4983);
04/02/2014 - ASUS resolved issue in beta firmware release (3.0.0.4.374_5047);
04/04/2014 - ASUS pushed beta firmware 3.0.0.4.374_5047 from beta to stable;
04/04/2014 - Advisory publishing date.

=====[5. References]==========================================================

[1] http://www.asus.com/Networking/RTAC68U/
[2] http://www.asus.com/Networking/RTAC68U/#support

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ