### Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It’s also where you can configure AiCloud 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a separate app, or restrict what you can change via mobile devices — you get full access to everything, from any device that can run a web browser” The vulnerabilities found are: * Access bypass * Configuration manipulation ### Credit An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response Asus were informed of the vulnerabilities and released patches...
### Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It’s also where you can configure AiCloud 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a separate app, or restrict what you can change via mobile devices — you get full access to everything, from any device that can run a web browser” The vulnerabilities found are: * Access bypass * Configuration manipulation ### Credit An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response Asus were informed of the vulnerabilities and released patches to address them (version 3.0.0.4.384_10007). For more details: https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/ ### Vulnerabilities details The AsusWRT handle_request() code allows an unauthenticated user to perform a POST request for certain actions. AsusWRT_source/router/httpd/httpd.c: ``` handle_request(void) { ... handler->auth(auth_userid, auth_passwd, auth_realm); auth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp); if (auth_result != 0) <--- auth fails { if(strcasecmp(method, "post") == 0){ if (handler->input) { handler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed } send_login_page(fromapp, auth_result, NULL, NULL, 0); } //if(!fromapp) http_logout(login_ip_tmp, cookies); return; } ... } ``` By POSTing to vpnupload.cgi, we invoke do_vpnupload_post(), which sets NVRAM configuration values directly from the request. AsusWRT_source/router/httpd/web.c: ``` do_vpnupload_post(char *url, FILE *stream, int len, char *boundary) { ... if (!strncasecmp(post_buf, "Content-Disposition:", 20)) { if(strstr(post_buf, "name=\"file\"")) break; else if(strstr(post_buf, "name=\"")) { offset = strlen(post_buf); fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); len -= strlen(post_buf) - offset; offset = strlen(post_buf); fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream); len -= strlen(post_buf) - offset; p = post_buf; name = strstr(p, "\"") + 1; p = strstr(name, "\""); strcpy(p++, "\0"); value = strstr(p, "\r\n\r\n") + 4; p = strstr(value, "\r"); strcpy(p, "\0"); //printf("%s=%s\n", name, value); nvram_set(name, value); } } ... } ``` An attacker can trigger the vulnerabilities and reset the admin password. Once that is done, the attacker can login to the web interface with the new password, enable SSH, reboot the router and login via SSH. Another option is to abuse infosvr, which is a UDP daemon running on port 9999. The daemon has a command mode which is only enabled if ateCommand_flag is set to 1. This flag is only enabled in very special cases, but we can enable it using the VPN configuration upload technique described above. Once that is done, all we need to do is send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root. ``` Packet structure (from AsusWRT_source/router/shared/iboxcom.h): - Header typedef struct iboxPKTEx { BYTEServiceID; BYTEPacketType; WORDOpCode; DWORD Info; // Or Transaction ID BYTEMacAddress[6]; BYTEPassword[32]; //NULL terminated string, string length:1~31, cannot be NULL string } ibox_comm_pkt_hdr_ex; - Body typedef struct iboxPKTCmd { WORDlen; BYTEcmd[420]; } PKT_SYSCMD;// total 422 bytes ```
