>> Unauthenticated LAN remote code execution in AsusWRT
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
======== >> Unauthenticated LAN remote code execution in AsusWRT
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 22/01/2018 / Last updated: 25/01/2018
>> Background and summary
AsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.
Thankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.
However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.
A special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).
>> Technical details:
#1
Vulnerability: HTTP server authentication bypass
CVE-2018-5999
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007
The AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.
In AsusWRT_source/router/httpd/httpd.c:
handle_request(void)
{
...
handler->auth(auth_userid, auth_passwd, auth_realm);
auth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);
if (auth_result != 0) <--- auth fails
{
if(strcasecmp(method, "post") == 0){
if (handler->input) {
handler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed
}
send_login_page(fromapp, auth_result, NULL, NULL, 0);
}
//if(!fromapp) http_logout(login_ip_tmp, cookies);
return;
}
...
}
This can (and will) be combined with other vulnerabilities to achieve remote code execution.
#2
Vulnerability: Unauthorised configuration change (NVRAM value setting)
CVE-2018-6000
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007
By abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.
In AsusWRT_source/router/httpd/web.c:
do_vpnupload_post(char *url, FILE *stream, int len, char *boundary)
{
...
if (!strncasecmp(post_buf, "Content-Disposition:", 20)) {
if(strstr(post_buf, "name="file""))
break;
else if(strstr(post_buf, "name="")) {
offset = strlen(post_buf);
fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);
len -= strlen(post_buf) - offset;
offset = strlen(post_buf);
fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);
len -= strlen(post_buf) - offset;
p = post_buf;
name = strstr(p, """) + 1;
p = strstr(name, """);
strcpy(p++, "
AsusWRT Router Remote Code Execution
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 572