| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Jan 2018 23:47:42 +0100
From: Blazej Adamczyk <blazej.adamczyk@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Multiple vulnerabilities in all versions of ASUS routers
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ASUSWRT - HTTPD SERVER MULTIPLE VULNERABILITIES
Blazej Adamczyk | blazej.adamczyk@...il.com | [http://sploit.tech/]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
discovery date: 22.08.2017
1 ASUSWRT <= 3.0.0.4.382.18495 >3.0.0.4.376 - multiple vulnerabilities in httpd server
══════════════════════════════════════════════════════════════════════════════════════
(all versions of AsusWRT at the time of report to vendor, for previous
376 version see next section)
1. Highly predictable session tokens
The session token is generated for an authenticated user using
stdlib rand function. The token generation code looks as follows:
┌────
│ char *generate_token(void){
│ int a=0, b=0, c=0, d=0;
│ //char create_token[32]={0};
│ memset(gen_token,0,sizeof(gen_token));
│ srand (time(NULL)); //VULNERABLE
│ a=rand();
│ b=rand();
│ c=rand();
│ d=rand();
│ snprintf(gen_token, sizeof(gen_token),"%d%d%d%d", a, b, c, d);
│ return gen_token;
│ }
└────
The code initializes the random number generator each time a token
is generated with router epoch time.
An attacker can guess a token knowing more or less the time the
administrator has logged in.
CVE: CVE-2017-15654 Suggested CVSS v3: 8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (Attacker needs administrator
interaction and a way to overcome administrator IP check - see next
point)
Timeline:
• 17.09.2017 - vendor notified
• 07.11.2017 - vendor releases a fixed version 3.0.0.4.382.18495
2. Not sufficient logged user IP validation
An attacker who knows the session token can walkaround the IP
verification mechanism by sending requests with a special
useragent.
The following PoC will download current router configuration even
if issued from a different than the logged user IP address:
┌────
│ curl "http://ROUTERADDRESS/s.CFG" -H "Cookie: asus_token=TOKEN"
│ -H 'User-Agent: asusrouter-asusrouter-asusrouter-asusrouter'
└────
CVE: CVE-2017-15653 Suggested CVSS v3: 8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (Attacker needs the session
token to execute any action without IP check - see point above)
Timeline:
• 17.09.2017 - vendor notified
• 07.11.2017 - vendor releases a fixed version 3.0.0.4.382.18495
Note to vendor/mitre: for clarity please assign separate CVE to
this vulnerability
3. Password stored in plain text
Asus routers store password in plain text in NVRAM memory.
Executing nvram show, or downloading the backup file and decoding
it allows anyone to read the administrator password.
Having access to telnet (shell) one can execute:
┌────
│ nvram show
└────
For reading password from backup file see the exploit below. CVE:
CVE-2017-15656
Timeline:
• 17.09.2017 - vendor notified
• 03.01.2018 - vendor stated that the NVRAM will be crypted in
February this year
4. Logged-in information disclousure
An unauthenticated attacker can retrieve information about a
logged-in session (if and who [IP address] is currently logged in).
This itself is not a vulnerability but together with the two
previous it allows for a easy exploit.
┌────
│ curl "http://ROUTERADDRESS/Nologin.asp"
└────
Taking all the four together it is easy to gain router access by
waiting for an administrator login and retrieving the login/password
using his token. Finally it is possible to download the backup file
and read the administrator login and password. A ready script is
attached to this message.
Suggested CVSS v3 for all three (1-3): 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
2 ASUSWRT <=3.0.0.4.376.*
═════════════════════════
This vulnerability affects new Asus routers with not up-to-date
firmware, as well as some older end-of-life routers (e.g. RT-N65R,
RT-N65U)
1. Heap buffer overflow in multiple HTTP headers allows for an
unauthenticated remote code execution.
Multiple buffer overflow vulnerabilities in HTTPd server in Asus
asuswrt version <=3.0.0.4.376.X. All have been fixed in version
3.0.0.4.378, but this vulnerability was not previously disclosed.
Some end-of-life routers have this version as the newest so are
vulnerable at this time. This vulnerability allows for RCE with
administrator rights when the administrator visits serveral pages.
For example the "Host:" header is vulnerable and allows to override
the SystemCmd variable which then allows for RCE when the
administrator visits serveral pages (for example the network tools
router tab).
PoC (after running this script, when the administrator visists one
of several pages which trigger commands e.g. the network tools tab,
the script is being run and outputs the contents of nvram to a css
file which can be retrived without authentication)
┌────
│ curl 'http://routerIP:8080' -H "Host: xxxxxxxxxxxxxx
│ $(for i in $(seq 1 9700); do echo -n " "; done)
│ \$(nvram show > /www/user/nvram.css )"
└────
CVE: CVE-2017-15655 Suggested CVSS v3: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (Administrator needs to login
and visit certain page at the router website)
Timeline:
• 17.09.2017 - vendor notified
• 18.09.2017 - vendor REFUSED to fix the vulnerability as the
routers using the vulnerable firmware are already EOL
ALERT: Users having routers not upgradable from 3.0.0.4.376.* or
less should CLOSE the http from WAN and should restrict the access
to management port from LAN as well!
Download attachment "asuswrt.tar.gz" of type "application/x-compressed-tar" (1486 bytes)
Download attachment "signature.asc" of type "application/pgp-signature" (529 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists