lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 22 Jan 2018 14:00:06 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

Full report: https://blogs.securiteam.com/index.php/archives/3589
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in AsusWRT
Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to
LAN remote command execution on any Asus router.

AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT
graphical user interface gives you easy access to the 30-second, 3-step
web-based installation process. It’s also where you can configure AiCloud
2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a
separate app, or restrict what you can change via mobile devices — you get
full access to everything, from any device that can run a web browser”

The vulnerabilities found are:

Access bypass
Configuration manipulation

Credit
An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com),
has reported this vulnerability to Beyond Security’s SecuriTeam Secure
Disclosure program.

Vendor response
Asus were informed of the vulnerabilities and released patches to address
them (version 3.0.0.4.384_10007).

For more details:
https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/

Vulnerabilities details
The AsusWRT handle_request() code allows an unauthenticated user to perform
a POST request for certain actions.

AsusWRT_source/router/httpd/httpd.c:

===

handle_request(void)

{

...

handler->auth(auth_userid, auth_passwd, auth_realm);

auth_result = auth_check(auth_realm, authorization, url, file, cookies,
fromapp);


if (auth_result != 0)                                     <--- auth fails

{

if(strcasecmp(method, "post") == 0){

if (handler->input) {

handler->input(file, conn_fp, cl, boundary);        <--- but POST request
is still processed

}

send_login_page(fromapp, auth_result, NULL, NULL, 0);

}

//if(!fromapp) http_logout(login_ip_tmp, cookies);

return;

}

...

}

===

By POSTing to vpnupload.cgi, we invoke do_vpnupload_post(), which sets
NVRAM configuration values directly from the request.

AsusWRT_source/router/httpd/web.c:

===

do_vpnupload_post(char *url, FILE *stream, int len, char *boundary)

{

...

if (!strncasecmp(post_buf, "Content-Disposition:", 20)) {

if(strstr(post_buf, "name=\"file\""))

break;

else if(strstr(post_buf, "name=\"")) {

offset = strlen(post_buf);

fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);

len -= strlen(post_buf) - offset;

offset = strlen(post_buf);

fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);

len -= strlen(post_buf) - offset;

p = post_buf;

name = strstr(p, "\"") + 1;

p = strstr(name, "\"");

strcpy(p++, "\0");

value = strstr(p, "\r\n\r\n") + 4;

p = strstr(value, "\r");

strcpy(p, "\0");

//printf("%s=%s\n", name, value);

nvram_set(name, value);

}

}

...

}

===

An attacker can trigger the vulnerabilities and reset the admin password.

Once that is done, the attacker can login to the web interface with the new
password, enable SSH, reboot the router and login via SSH.

Another option is to abuse infosvr, which is a UDP daemon running on port
9999.

The daemon has a command mode which is only enabled if ateCommand_flag is
set to 1.

This flag is only enabled in very special cases, but we can enable it using
the VPN configuration upload technique described above.

Once that is done, all we need to do is send a PKT_SYSCMD to infosvr.

The daemon will read a command from the packet and execute it as root.

===

Packet structure (from AsusWRT_source/router/shared/iboxcom.h):

- Header

  typedef struct iboxPKTEx

  {

    BYTE ServiceID;

    BYTE PacketType;

    WORD OpCode;

    DWORD Info; // Or Transaction ID

    BYTE MacAddress[6];

    BYTE Password[32];   //NULL terminated string, string length:1~31,
cannot be NULL string

  } ibox_comm_pkt_hdr_ex;


- Body

  typedef struct iboxPKTCmd

  {

    WORD len;

    BYTE cmd[420];

  } PKT_SYSCMD; // total 422 bytes

===

--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Download attachment "SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution.pdf" of type "application/pdf" (154839 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ