Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
layout title date comments categories
post
CVE-2021-3166
2021-01-17
true
vulnerability

Affected products

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with the same firmware version.

    DSL-N14U_B1 V.1.1.2.3_805
    

Overview

An issue was discovered on Asus DSL-N14U_B1 v.1.1.2.3_805. An attacker can upload any file to the Firmware box as long as it is renamed as Settings_ProductName.trx (eg. Settings_DSL-N14U-B1.trx). Once the file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in DoS condition.

POC

This PoC can result in a DoS.

Given the vendor's policies, we don't show the Source Code of the binary scripts. However, we'll inspect the web page source. We'll notice the differences before and after the exploitation using reconnaissance tools.

Details

We proceed with the reconnaissance part by performing a mere portscan.

As we can see, services like ssh and jetdirect are up and running. Now let's let's head back to the firmware update page.

Let's analyze the code and look for an "upload" field in order to find the access point used to laod the firmware.

function uiDoUpdate()
{
	var form=document.uiPostUpdateForm;
	var string4 = form.tools_FW_UploadFile.value.search(/DSL-N14U-B1/);

	if (form.tools_FW_UploadFile.value=="") {
		alert("You must select a firmware file to upload.");
	}
	else {
		if (string4 >= 0) {
			form.postflag.value = "1";
			if(model_name == "DSL-N66U" || model_name == "DSL-AC52U")
			{
				showLoading(220);
				setTimeout("redirect();", 220000);
			}
			else if(model_name == "DSL-N55U-C1" || model_name == "DSL-N16U")
			{
				showLoading(152);
				setTimeout("redirect();", 152000);
			}
			else //DSL-N14U ...
			{
				showLoading(182);
				setTimeout("redirect();", 182000);
			}
			setTimeout("chk_upgrade();", 5000);
			form.submit();
		}
		else
			alert("Nuovo file firmware non è valido.");
	}
}

Given the checks, it seems that it can accept firmware belonging to different asus models. What changes visually seems to be the wait time for loading. Loading an image generates the "Invalid Firmware" alert.

But what if we decide to change the name of the image like "Settings_DSL-N14U-B1.trx"?

So we upload the appropriately crafted file, and it gets accepted to the back-end.

Showdown

Once the loading is complete, we can notice a strange behaviour, As if some services have been been suddenly stopped working as if it was a normal firmware upgrade.

As long as the router is turned on, the services won't restart. So, a Physical intervention is required in order to restart services properly.