ID OPENVAS:1361412562310903432 Type openvas Reporter Copyright (C) 2014 SecPod Modified 2020-05-05T00:00:00
Description
The host is running ASUS Router and is prone to multiple
vulnerabilities.
##############################################################################
# OpenVAS Vulnerability Test
#
# ASUS Router Multiple Vulnerabilities
#
# Authors:
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (C) 2014 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.903432");
script_version("2020-05-05T09:44:01+0000");
script_cve_id("CVE-2015-1437");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_tag(name:"last_modification", value:"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)");
script_tag(name:"creation_date", value:"2014-02-26 16:37:32 +0530 (Wed, 26 Feb 2014)");
script_name("ASUS Router Multiple Vulnerabilities");
script_tag(name:"summary", value:"The host is running ASUS Router and is prone to multiple
vulnerabilities.");
script_tag(name:"vuldetect", value:"Send a crafted exploit string via HTTP GET request and check whether it
is possible to read cookie or not.");
script_tag(name:"insight", value:"- The error page is accessible without authentication. This allows the
attacker to bypass same-origin policy restrictions enforced by XMLHttpRequest.
- The router error page 'error_page.htm' includes the current administrative
password in clear text.");
script_tag(name:"impact", value:"Successful exploitation will allow remote attackers to insert arbitrary HTML
and script code, which will be executed in a user's browser session in the
context of an affected site and also can conduct phishing attacks.");
script_tag(name:"affected", value:"- ASUS RT-N16
- ASUS RT-N10U, firmware 3.0.0.4.374_168
- ASUS RT-N56U, firmware 3.0.0.4.374_979
- ASUS DSL-N55U, firmware 3.0.0.4.374_1397
- ASUS RT-AC66U, firmware 3.0.0.4.374_2050
- ASUS RT-N15U, firmware 3.0.0.4.374_16
- ASUS RT-N53, firmware 3.0.0.4.374_311");
script_tag(name:"solution", value:"No known solution was made available for at least one year since the
disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to
upgrade to a newer release, disable respective features, remove the product or replace the product by another one.");
script_tag(name:"solution_type", value:"WillNotFix");
script_xref(name:"URL", value:"https://sintonen.fi/advisories/asus-router-auth-bypass.txt");
script_xref(name:"URL", value:"http://www.asus.com/Networking/RTN56U");
script_xref(name:"URL", value:"http://exploitsdownload.com/exploit/na/asus-router-authentication-bypass-cross-site-scripting");
script_category(ACT_ATTACK);
script_tag(name:"qod_type", value:"remote_vul");
script_copyright("Copyright (C) 2014 SecPod");
script_family("Web application abuses");
script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
asport = http_get_port(default:80);
banner = http_get_remote_headers(port: asport);
if(banner =~ 'WWW-Authenticate: Basic realm=".*(RT-|DSL-).*"')
{
url = "/error_page.htm?flag=%27%2balert(document.cookie)%2b%27";
if(http_vuln_check(port:asport, url:url, pattern:"alert\(document.cookie\)", check_header:TRUE,
extra_check:make_list("reboot_time")))
{
security_message(port:asport);
exit(0);
}
}
{"id": "OPENVAS:1361412562310903432", "type": "openvas", "bulletinFamily": "scanner", "title": "ASUS Router Multiple Vulnerabilities", "description": "The host is running ASUS Router and is prone to multiple\n vulnerabilities.", "published": "2014-02-26T00:00:00", "modified": "2020-05-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310903432", "reporter": "Copyright (C) 2014 SecPod", "references": ["http://exploitsdownload.com/exploit/na/asus-router-authentication-bypass-cross-site-scripting", "http://www.asus.com/Networking/RTN56U", "https://sintonen.fi/advisories/asus-router-auth-bypass.txt"], "cvelist": ["CVE-2015-1437"], "lastseen": "2020-05-08T11:03:18", "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1437"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31706", "SECURITYVULNS:VULN:13675"]}, {"type": "openvas", "idList": ["OPENVAS:903432"]}], "modified": "2020-05-08T11:03:18", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2020-05-08T11:03:18", "rev": 2}, "vulnersScore": 7.4}, "pluginID": "1361412562310903432", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# ASUS Router Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.903432\");\n script_version(\"2020-05-05T09:44:01+0000\");\n script_cve_id(\"CVE-2015-1437\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-02-26 16:37:32 +0530 (Wed, 26 Feb 2014)\");\n script_name(\"ASUS Router Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is running ASUS Router and is prone to multiple\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted exploit string via HTTP GET request and check whether it\n is possible to read cookie or not.\");\n\n script_tag(name:\"insight\", value:\"- The error page is accessible without authentication. This allows the\n attacker to bypass same-origin policy restrictions enforced by XMLHttpRequest.\n\n - The router error page 'error_page.htm' includes the current administrative\n password in clear text.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to insert arbitrary HTML\n and script code, which will be executed in a user's browser session in the\n context of an affected site and also can conduct phishing attacks.\");\n\n script_tag(name:\"affected\", value:\"- ASUS RT-N16\n\n - ASUS RT-N10U, firmware 3.0.0.4.374_168\n\n - ASUS RT-N56U, firmware 3.0.0.4.374_979\n\n - ASUS DSL-N55U, firmware 3.0.0.4.374_1397\n\n - ASUS RT-AC66U, firmware 3.0.0.4.374_2050\n\n - ASUS RT-N15U, firmware 3.0.0.4.374_16\n\n - ASUS RT-N53, firmware 3.0.0.4.374_311\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\n disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to\n upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"https://sintonen.fi/advisories/asus-router-auth-bypass.txt\");\n script_xref(name:\"URL\", value:\"http://www.asus.com/Networking/RTN56U\");\n script_xref(name:\"URL\", value:\"http://exploitsdownload.com/exploit/na/asus-router-authentication-bypass-cross-site-scripting\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2014 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nasport = http_get_port(default:80);\nbanner = http_get_remote_headers(port: asport);\n\nif(banner =~ 'WWW-Authenticate: Basic realm=\".*(RT-|DSL-).*\"')\n{\n url = \"/error_page.htm?flag=%27%2balert(document.cookie)%2b%27\";\n\n if(http_vuln_check(port:asport, url:url, pattern:\"alert\\(document.cookie\\)\", check_header:TRUE,\n extra_check:make_list(\"reboot_time\")))\n {\n security_message(port:asport);\n exit(0);\n }\n}\n", "naslFamily": "Web application abuses"}
{"cve": [{"lastseen": "2020-10-03T12:49:48", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Asus RT-N10+ D1 router with firmware 2.1.1.1.70 allow remote attackers to inject arbitrary web script or HTML via the flag parameter to (1) result_of_get_changed_status.asp or (2) error_page.htm.", "edition": 3, "cvss3": {}, "published": "2015-02-04T16:59:00", "title": "CVE-2015-1437", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1437"], "modified": "2018-10-09T19:55:00", "cpe": ["cpe:/o:asus:rt-n10\\+d1_firmware:2.1.1.1.70"], "id": "CVE-2015-1437", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1437", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:asus:rt-n10\\+d1_firmware:2.1.1.1.70:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:57", "bulletinFamily": "software", "cvelist": ["CVE-2015-1437"], "description": "\r\n\r\n#####################################\r\nTitle:- Reflected XSS vulnarbility in Asus RT-N10 Plus router\r\nAuthor: Kaustubh G. Padwad\r\nProduct: ASUS Router RT-N10 Plus\r\nFirmware: 2.1.1.1.70\r\nSeverity: HIGH\r\nAuth: Not requierd\r\nCVE ID: CVE-2015-1437 \r\n# Description: \r\nVulnerable Parameter: flag=\r\n# Vulnerability Class:\r\nCross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))\r\n\r\n# About Vulnerability: Asus Router RT-N10 Plus with firmware 2.1.1.70 is vulnarable for crosss site scripting attack,this may cause a huge network compemise.As this does not requierd any authentication this can be a mass network compermising. \r\n\r\n#Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response.\r\n\r\n\r\n#Steps to Reproduce: (POC):\r\nAfter setting up router\r\nEnter this URL \r\n1.http://router/error_page.htm?flag=initial78846%27%3balert(document.lastmodified)%2f%2f372137b5d\r\n2.http://router/error_page.htm?flag=initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d\r\n\r\n\r\n# Disclosure: \r\n8-jan-2015 Repoerted to ASUS \r\n9-jan-2015 Asus confirm that they reported to concern department\r\n15-jan-2015 Ask for update from asus asus says reported to HQ\r\n28-jan-2015 Ask asus about reporting security foucus No reply from ASUS\r\n29-jan-2015 security focus bugtraq\r\n\r\n\r\n#credits:\r\nKaustubh Padwad\r\nInformation Security Researcher\r\nkingkaustubh@me.com\r\nhttps://twitter.com/s3curityb3ast\r\nhttp://breakthesec.com\r\nhttps://www.linkedin.com/in/kaustubhpadwad\r\n\r\n", "edition": 1, "modified": "2015-02-11T00:00:00", "published": "2015-02-11T00:00:00", "id": "SECURITYVULNS:DOC:31706", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31706", "title": "CVE-2015-1437 XSS In ASUS Router.", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "cvelist": ["CVE-2015-1437"], "description": "Full anonymous access is allowed be default. Authentication bypass. Crossite scripting.", "edition": 1, "modified": "2015-02-11T00:00:00", "published": "2015-02-11T00:00:00", "id": "SECURITYVULNS:VULN:13675", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13675", "title": "Asus RT routers unauthorized access", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-26T08:48:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1437"], "description": "The host is running ASUS Router and is prone to multiple\nvulnerabilities.", "modified": "2017-07-11T00:00:00", "published": "2014-02-26T00:00:00", "id": "OPENVAS:903432", "href": "http://plugins.openvas.org/nasl.php?oid=903432", "type": "openvas", "title": "ASUS Router Multiple Vulnerabilities", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_asus_routers_mult_vuln.nasl 6663 2017-07-11 09:58:05Z teissa $\n#\n# ASUS Router Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(903432);\n script_version(\"$Revision: 6663 $\");\n script_cve_id(\"CVE-2015-1437\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 11:58:05 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-26 16:37:32 +0530 (Wed, 26 Feb 2014)\");\n script_name(\"ASUS Router Multiple Vulnerabilities\");\n\n tag_summary =\n\"The host is running ASUS Router and is prone to multiple\nvulnerabilities.\";\n\n tag_vuldetect =\n\"Send a crafted exploit string via HTTP GET request and check whether it\nis possible to read cookie or not.\";\n\n tag_insight =\n\"- The error page is accessible without authentication. This allows the\n attacker to bypass same-origin policy restrictions enforced by\n XMLHttpRequest.\n- The router error page 'error_page.htm' includes the current administrative\n password in clear text.\";\n\n tag_impact =\n\"Successful exploitation will allow remote attackers to insert arbitrary HTML\nand script code, which will be executed in a user's browser session in the\ncontext of an affected site and also can conduct phishing attacks.\n\nImpact Level: Application\";\n\n tag_affected =\n\"ASUS RT-N16\nASUS RT-N10U, firmware 3.0.0.4.374_168\nASUS RT-N56U, firmware 3.0.0.4.374_979\nASUS DSL-N55U, firmware 3.0.0.4.374_1397\nASUS RT-AC66U, firmware 3.0.0.4.374_2050\nASUS RT-N15U, firmware 3.0.0.4.374_16\nASUS RT-N53, firmware 3.0.0.4.374_311 \";\n\n tag_solution =\n\"No Solution is available as of 26th February, 2014.Information regarding this\nissue will be updated once the solution details are available. For more\ninformation refer to http://www.asus.com/Networking/RTN56U\";\n\n\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"vuldetect\" , value : tag_vuldetect);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_xref(name : \"URL\" , value : \"https://sintonen.fi/advisories/asus-router-auth-bypass.txt\");\n script_xref(name : \"URL\" , value : \"http://exploitsdownload.com/exploit/na/asus-router-authentication-bypass-cross-site-scripting\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2014 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\n## Variable Initialization\nasport = \"\";\nbanner = \"\";\n\n## Get HTTP Port\nasport = get_http_port(default:80);\nif(!asport){\n asport = 80;\n}\n\n## Check Port State\nif(!get_port_state(asport)){\n exit(0);\n}\n\nbanner = get_http_banner(port: asport);\n\n## Confirm the device from banner\nif(banner =~ 'WWW-Authenticate: Basic realm=\".*(RT-|DSL-).*\"')\n{\n ## Confirm the exploit\n url = \"/error_page.htm?flag=%27%2balert(document.cookie)%2b%27\";\n\n ## Confirm the exploit\n if(http_vuln_check(port:asport, url:url, pattern:\"alert\\(document.cookie\\)\", check_header:TRUE,\n extra_check:make_list(\"reboot_time\")))\n {\n security_message(port:asport);\n exit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
