[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution



On 22 January 2018 at 19:00, Maor Shwartz <maors AT beyondsecurity.com> wrote:

> SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution
>
> Full report: https://blogs.securiteam.com/index.php/archives/3589
> Twitter: @SecuriTeam_SSD
> Weibo: SecuriTeam_SSD
>
> Vulnerabilities Summary
> The following advisory describes two (2) vulnerabilities found in AsusWRT
> Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to
> LAN remote command execution on any Asus router.
>
> AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT
> graphical user interface gives you easy access to the 30-second, 3-step
> web-based installation process. It’s also where you can configure AiCloud
> 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a
> separate app, or restrict what you can change via mobile devices — you get
> full access to everything, from any device that can run a web browser”
>
> The vulnerabilities found are:
>
> Access bypass
> Configuration manipulation
>
> Credit
> An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com),
> has reported this vulnerability to Beyond Security’s SecuriTeam Secure
> Disclosure program.
>
> Vendor response
> Asus were informed of the vulnerabilities and released patches to address
> them (version 3.0.0.4.384_10007).
>
> For more details:
> https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/
>
>
Just to add that MITRE has provided CVE for the issues found:

Access bypass: CVE-2018-5999
Configuration manipulation: CVE-2018-6000

Thanks again to SecuriTeam for helping with the disclosure.

Advisory links have been updated:
https://blogs.securiteam.com/index.php/archives/3589
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt

Regards,
Pedro

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/