# Date: 2/2/2016
# Exploit Author: @GraphX
# Vendor Homepage: http://asus.com/
# Version: 3.0.0.4.374_239
1 Description:
It is possible for an authenticated attacker to bypass input sanitation in
the username input field of the Server Center page. An interception proxy
is not required with the use of the developer console and changing the
field value of the username after the third verification task is complete,
and before the password sanitation begins in the modify_account.asp file.
Alternatively, an attacker can bypass client side sanitation all together
by submitting a valid option and then changing the parameters in an
interception proxy.
There is a small amount of server-side sanitation, but this is easily
circumvented by making sure (in this example) the field value ends up
looking like this. user"><img onerror=alert(1) src=blah> Keeping the the
src parameter as far to the right as possible appears to circumvent any
server-side sanitation attempts.
2 Proof of Concept
1)Login to router
2)navigate to:
http:/<router_IP>/aidisk/
onclick="javascript:alert(1)"
src=blah>&new_password=123&
3 Solution:
Don't buy ASUS Routers.
**********NOTE****************
Other router models are likely affected by this vulnerability as they
appear to share the same or similar firmware (example: RT-N66U).
I have been unable to confirm this theory as the vendor is unresponsive.
Komentarų nėra:
Rašyti komentarą