... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007

SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router.
AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It’s also where you can configure AiCloud 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a separate app, or restrict what you can change via mobile devices — you get full access to everything, from any device that can run a web browser”
The vulnerabilities found are:

  • Access bypass
  • Configuration manipulation

Credit
An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Asus were informed of the vulnerabilities and released patches to address them (version 3.0.0.4.384_10007).
For more details: https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/
CVE: CVE-2018-5999 and CVE-2018-6000

Vulnerabilities details
The AsusWRT handle_request() code allows an unauthenticated user to perform a POST request for certain actions.
AsusWRT_source/router/httpd/httpd.c:

By POSTing to vpnupload.cgi, we invoke do_vpnupload_post(), which sets NVRAM configuration values directly from the request.
AsusWRT_source/router/httpd/web.c:

An attacker can trigger the vulnerabilities and reset the admin password.
Once that is done, the attacker can login to the web interface with the new password, enable SSH, reboot the router and login via SSH.
Another option is to abuse infosvr, which is a UDP daemon running on port 9999.
The daemon has a command mode which is only enabled if ateCommand_flag is set to 1.
This flag is only enabled in very special cases, but we can enable it using the VPN configuration upload technique described above.
Once that is done, all we need to do is send a PKT_SYSCMD to infosvr.
The daemon will read a command from the packet and execute it as root.

Proof of Concept

Print Friendly, PDF & Email