lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 26 Jan 2018 15:33:20 +0700
From: Pedro Ribeiro <pedrib@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD]
	SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

On 22 January 2018 at 19:00, Maor Shwartz <maors@...ondsecurity.com> wrote:

> SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution
>
> Full report: https://blogs.securiteam.com/index.php/archives/3589
> Twitter: @SecuriTeam_SSD
> Weibo: SecuriTeam_SSD
>
> Vulnerabilities Summary
> The following advisory describes two (2) vulnerabilities found in AsusWRT
> Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to
> LAN remote command execution on any Asus router.
>
> AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT
> graphical user interface gives you easy access to the 30-second, 3-step
> web-based installation process. It’s also where you can configure AiCloud
> 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a
> separate app, or restrict what you can change via mobile devices — you get
> full access to everything, from any device that can run a web browser”
>
> The vulnerabilities found are:
>
> Access bypass
> Configuration manipulation
>
> Credit
> An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com),
> has reported this vulnerability to Beyond Security’s SecuriTeam Secure
> Disclosure program.
>
> Vendor response
> Asus were informed of the vulnerabilities and released patches to address
> them (version 3.0.0.4.384_10007).
>
> For more details:
> https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/
>
>
Just to add that MITRE has provided CVE for the issues found:

Access bypass: CVE-2018-5999
Configuration manipulation: CVE-2018-6000

Thanks again to SecuriTeam for helping with the disclosure.

Advisory links have been updated:
https://blogs.securiteam.com/index.php/archives/3589
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ