華碩電競路由器GT-AC5300韌體5項弱點
- 發布單位:TWCERT/CC
- 更新日期:2019-04-03
- 點閱次數:651
CVE編號
內文
●概述:
Republic of Gamers(ROG)品牌,係華碩開發之無線電競路由器系列,其ROG Rapture GT-AC5300,號稱採用Aiprotection及趨勢IPS等安全技術,然其8月釋出之韌體版本3.0.0.4.384_32738,近日被披露數項漏洞,發送單行請求" GET / HTTP/1.1\r\n "即可製造DoS;而參數錯漏字timestap,恐因NULL pointer反參照而中斷服務;惡意設定變數sh_path0為過長字串,可探勘函數ej_select_list( )內指令strcpy( ),觸發緩衝區溢位;而利用CSRF手法,可透過start_apply.htm重設密碼;最後藉惡意請求控制appGet.cgi介面hook參數,可達成XSS效果,目前暫無安全更新。
●編註:
(1)服務阻斷
(1-1)使用telnet連線路由器入口首頁router.asus.com(port 80),遠端攻擊方式僅須送出單行請求" GET / HTTP/1.1\r\n ",即可停宕 http://router.asus.com/ 之存取。
(1-2)根據route /blocking_request.cgi局部程式碼:
timestamp=getParmOrFromJson("timestap",v28);
....
v4=atol(timestamp);
由getParmOrFromJson()可以觀察到timestap不似乎是拼字缺漏,並非熟悉的timestamp,故timestamp參數配賦過程已生失誤,呼叫atol()運算時並未檢查NULL pointer,將觸發空指標反參照之例外情況,造成服務中止,攻擊示範如下:
curl -i -X POST '192.168.10.10/blocking_request.cgi' -H 'Referer: http://192.168.10.10/'
因為參照網址會被過濾CSRF特徵,故以設備IP替代,實證入侵可行性。
(2) buffer overflow
首先瀏覽路由器首頁http://router.asus.com,以admin帳號登入獲得cookie,刻意設定變數sh_path0為長字串(超過64字元),例如ReqRespType=VisSetNVRAM&NVRAMName=sh_path0&NVRAMValue=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
再送出請求GET /appGet.cgi?hook=select_list("Storage_x_SharedPath") HTTP/1.1,程式旋即產生crash,關鍵原因在router/httpd/web.c內,某段函數ej_select_list( )使用strcpy( )而未檢查參數長度是否匹配,然運用strcpy(a,b)則該注意變數a字串長>=b字串長,否則將觸發溢位,駭客只要配賦sh_path0變數值大於64字元,即能探勘此設計缺陷,衍生DoS或其他意外結果。
(3) Cross-site request forgery
駭客設法劫持管理者admin憑證並登入,便能發動跨站台請求偽冒,當然也須事先備妥惡意網站,該惡意網頁source code範例如下:
透過惡意網頁操縱,可連線受害設備設備page_default.cgi,避開對CSRF偵測機制,將特製request送給start_apply.htm,直接重設密碼為567890,啟動sshd服務,接收路由器管理權。
(4)Cross-site scripting
照例駭客要能瀏覽 http://router.asus.com 且獲得admin帳號之cookie,經由appGet.cgi介面控制hook參數,達成XSS目的,惡意請求範例:
GET /appGet.cgi?hook=nvram_get(%22htta%3Cscript%20src=%27http://192.168.10.10/malxss.js%27%3E%3C/script%3Eaa()pd_handle_request%22);
其效果等同{"httaaa()pd_handle_request":""}
影響產品
相關連結
- https://nvd.nist.gov/vuln/detail/CVE-2018-17020
- https://github.com/PAGalaxyLab/VulInfo/blob/master/ASUS/ASUS%2520GT-AC5300%2520DOS1.MD
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17127
- https://github.com/PAGalaxyLab/VulInfo/tree/master/ASUS/GT-AC5300/dos1
- https://nvd.nist.gov/vuln/detail/CVE-2018-17022
- https://github.com/PAGalaxyLab/VulInfo/blob/master/ASUS/buffer_overflow/ASUS%2520GT-AC5300%2520stack
- https://nvd.nist.gov/vuln/detail/CVE-2018-17023
- https://github.com/PAGalaxyLab/VulInfo/blob/master/ASUS/csrf_bypass_referer/ASUS%2520GT-AC5300%2520c
- https://nvd.nist.gov/vuln/detail/CVE-2018-17021
- https://github.com/PAGalaxyLab/VulInfo/blob/master/ASUS/ac5300_xss/ASUS%2520GT-AC5300%2520XSS.MD
- https://www.asus.com/Networking/ROG-Rapture-GT-AC5300/HelpDesk_BIOS/
- https://kknews.cc/game/9yyyv98.html
- https://www.asus.com/media/global/products/3U61Zcnuu8qOVMM4/P_setting_xxx_0_90_end_300.png