=====[Alligator Security Team - Security Advisory]============================ Reflected Cross-Site Scripting within the ASUS RT-AC68U Managing Web Interface Author: Joaquim Brasil de Oliveira < palulabrasil () gmail com > < twitter.com/palulabr > =====[Table of Contents]====================================================== 1. Overview 2. Detailed description 3. Other contexts & solutions 4. Timeline 5. References =====[1. Overview]============================================================ * Systems affected: ASUS RT-AC68U web interface - 3.0.0.4.374.4755 (verified) - 3.0.0.4.374_4887 (verified) - 3.0.0.4.374_4983 (verified) (other versions may be affected) * Release date: 04/04/2014 * Impact: This vulnerability allows for performing attacks against third party users of the ASUS RT-AC68U web management platform, by luring them into clicking on a link provided with malicious content, which in turn, will execute on the context of the victim's browser. The ASUS RT-AC68U is the world's fastest Wi-Fi router, with combined dual-band data rates of up to 1900 Mbps. 1300 Mbps 802.11ac at 5 GHz gives Gigabit wireless data rates, while Broadcom(R) TurboQAM(tm) technology super-charges 2.4 Ghz 802.11n performance from 450 Mbps to 600 Mbps with compatible devices[1]. =====[2. Detailed description]================================================ The ASUS RT-AC68U router has a web interface management tool designed to graphically assist users in configuring various features and/or diagnosing problems. However, there is a bug with the "Wireless" tab of this web management interface that results in the possibility for an attacker to execute malicious content within another user's browser by luring this given user (victim) into visiting a specially crafted link. Furthermore, in order to exploit this bug, the attacker needs to send the following malicious link to the victim --- e.g: the router administrator: https://[router's IP address]/apply.cgi?next_page=Advanced_Wireless_Content.asp&current_page="><script>alert('XSS')</script><"&action_mode=change_wl_unit When the victim clicks on the aforementioned link, because of the fact that the "current_page" parameter is susceptible to refelected cross-site scripting attacks, the malicious code stated in the given parameter will be executed --- in this specific proof of concept, the code will trigger an alert box --- within the victim's browser context. This bug occurs because ASUS web management interface poorly validates data output. Therefore, given the fact that HTML/Javascript code is interpreted by browsers, the malicious code supplied by the attacker will be rendered in the victim's browser. It is important to mention that even if the victim is not logged in, whenever an attacker sends the malicious link to her, the web management platform will provide the authentication interface, and after that, redirect the victim to the malicious target. So in order to exploit this vulnerability, the only information the attacker needs to know, is a valid user within the system (e.g: the router's administrator). =====[3. Other contexts & solutions]========================================== In order to erradicate this problem, it is imperative that the the server enforces data output validation. An additional measure regards filtering data input. Therefore, by applying both these measures, all data input provided by third parties will be validated and all data being ouputted by the server will also be validated. =====[4. Timeline]============================================================ 03/31/2014 - ASUS was contacted; 04/02/2014 - ASUS pushed a new beta firmware release (3.0.0.4.374_4983); 04/02/2014 - ASUS resolved issue in beta firmware release (3.0.0.4.374_5047); 04/04/2014 - ASUS pushed beta firmware 3.0.0.4.374_5047 from beta to stable; 04/04/2014 - Advisory publishing date. =====[5. References]========================================================== [1] http://www.asus.com/Networking/RTAC68U/ [2] http://www.asus.com/Networking/RTAC68U/#support