Document Title:
===============
ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability
Date:
=====
2018-06-26
References:
===========
https://www.vulnerability-lab.com/get_content.php?id=1993
VL-ID:
=====
1993
Common Vulnerability Scoring System:
====================================
3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Introduction:
=============
802.11ac Dual-Band Wireless-AC1750 Gigabit Router. RT-AC66U supports several operation modes to meet
different requirements. Please select the mode that match your situation. Wireless router mode (Default),
Access Point(AP) mode or Media bridge. In wireless router/ IP sharing mode, RT-AC66U connects to the
Internet via PPPoE, DHCP, PPTP, L2TP, or Static IP and shares the wireless network to LAN clients or
devices. In this mode, NAT, firewall, and DHCP server are enabled by default. UPnP and Dynamic DNS
are supported for SOHO and home users. Select this mode if you are a first-time user or you are not
currently using any wired/wireless routers. The ASUS RT-AC66U is a 5th gen dual-band Wi-Fi router,
and the launch platform for the new ASUS AiCloud service. Its speed reaches 1.75Gbps, utilizing the
Broadcom 802.11ac Wi-Fi controller and working in 2.4GHz and 5GHz. The 5GHz band supports up to 1.3Gbps,
exceeding current Gigabit wired transmission and 3X faster than 802.11n. The RT-AC66U offers smooth
lag-resistant multitasking and super-fast streaming, while ASUS AiRadar intelligently strengthens wireless
connections via powerful amplification, offering future-proof optimized performance.
(Copy of the Homepage: https://www.asus.com/Networking/RTAC66U/ )
Abstract:
=========
The vulnerability laboratory core research team discovered mutliple cross site scripting vulnerabilities
in the official ASUS Wireless Router RT Firmware v3.0.0.4.372_67.
Report-Timeline:
================
2018-06-27: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
ASUS
Product: WRT - Wireless Router (UI) v3.0.0.4.372_67
Exploitation-Technique:
=======================
Local
Severity:
=========
Medium
Details:
========
A cross site scripting vulnerability has been discovered in the ASUS Wireless Router RT Firmware v3.0.0.4.372_67.
The cross site scripting web vulnerability allows remote attackers to inject own malicious script codes on the
application-side of the vulnerable function or service module.
The cross site scripting vulnerability is located in the `Client Name` input field of the `Partental Control` modules.
The input field for the client name is not secure parsed. Thus allows an attacker to manipulate the client list on index
of the module. The request method to inject is POST and the attack vector is located on the application-side. Due to no
reachable cookies in the panel ui, low privileged user accounts are only able to redirect or inject malware to the
client-side for an execute. First the context is saved client-side and after using apply function the context is
saved permanently to the image db.
The security risk of the client-side cross site scripting web vulnerability is estimated as medium with a cvss
(common vulnerability scoring system) count of 3.0. Exploitation of the client-side web vulnerability requires
a privileged web-application user account and low user interaction. Successful exploitation of the vulnerability
results in non-persistent phishing, session hijacking, non-persistent external redirect to malicious sources and
client-side manipulation of affected or connected web module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Parental Control
Vulnerable Parameter(s):
[+] Client Name
Proof of Concept:
=================
The cross site vulnerability can be exploited by remote attackers with privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Exploitation