首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution
来源:http://www.agileinfosec.co.uk/ 作者:Ribeiro 发布时间:2018-01-26  
>> Unauthenticated LAN remote code execution in AsusWRT
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 22/01/2018 / Last updated: 25/01/2018
 
 
>> Background and summary
AsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.
Thankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.
 
However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.
 
A special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).
 
 
>> Technical details:
#1
Vulnerability: HTTP server authentication bypass
CVE-2018-5999
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007
 
The AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.
In AsusWRT_source/router/httpd/httpd.c:
 
handle_request(void)
{
...
    handler->auth(auth_userid, auth_passwd, auth_realm);
    auth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);
 
    if (auth_result != 0)                                     <--- auth fails
    {
        if(strcasecmp(method, "post") == 0){
            if (handler->input) {
                handler->input(file, conn_fp, cl, boundary);        <--- but POST request is still processed
            }
            send_login_page(fromapp, auth_result, NULL, NULL, 0);
        }
        //if(!fromapp) http_logout(login_ip_tmp, cookies);
        return;
    }
...
}
 
This can (and will) be combined with other vulnerabilities to achieve remote code execution.
 
 
#2
Vulnerability: Unauthorised configuration change (NVRAM value setting)
CVE-2018-6000
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007
 
By abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.
In AsusWRT_source/router/httpd/web.c:
 
do_vpnupload_post(char *url, FILE *stream, int len, char *boundary)
{
...
    if (!strncasecmp(post_buf, "Content-Disposition:", 20)) {
        if(strstr(post_buf, "name=\"file\""))
            break;
        else if(strstr(post_buf, "name=\"")) {
            offset = strlen(post_buf);
            fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);
            len -= strlen(post_buf) - offset;
            offset = strlen(post_buf);
            fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);
            len -= strlen(post_buf) - offset;
            p = post_buf;
            name = strstr(p, "\"") + 1;
            p = strstr(name, "\"");
            strcpy(p++, "\0");
            value = strstr(p, "\r\n\r\n") + 4;
            p = strstr(value, "\r");
            strcpy(p, "\0");
            //printf("%s=%s\n", name, value);
            nvram_set(name, value);
        }
    }
...
}
 
These NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.
 
Once that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.
 
A more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.
The daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).
 
However we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.
 
(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).
 
Packet structure (from AsusWRT_source/router/shared/iboxcom.h):
- Header
  typedef struct iboxPKTEx
  {
    BYTE        ServiceID;
    BYTE        PacketType;
    WORD        OpCode;
    DWORD       Info; // Or Transaction ID
    BYTE        MacAddress[6];
    BYTE        Password[32];   //NULL terminated string, string length:1~31, cannot be NULL string
  } ibox_comm_pkt_hdr_ex;
 
- Body
  typedef struct iboxPKTCmd
  {
    WORD        len;
    BYTE        cmd[420];       <--- command goes here
  } PKT_SYSCMD;     // total 422 bytes
 
A Metasploit module exploiting this vulnerability has been released [3].
 
 
>> Fix:
Upgrade to AsusWRT v3.0.0.4.384.10007 or above.
See [4] for the very few details and new firmware released by Asus.
 
 
>> References:
[1] https://blogs.securiteam.com/index.php/archives/3589
[2] https://github.com/jduck/asus-cmd
[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb
[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/
 
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Oracle VirtualBox < 5.1.30 / <
·ASUS DSL-N14U B1 Router 1.1.2.
·RAVPower 2.000.056 - Root Remo
·Sync Breeze Enterprise 9.5.16
·Kaltura Remote PHP Code Execut
·GoAhead Web Server LD_PRELOAD
·MikroTik RouterOS < 6.38.5 Rem
·Asus Unauthenticated LAN Remot
·Photography CMS 1.0 - Cross-Si
·HP Connected Backup 8.6/8.8.6
·RAVPower 2.000.056 - Memory Di
·MixPad 5.00 - Buffer Overflow
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved