=====[Alligator Security Team - Security Advisory]============================

  Reflected Cross-Site Scripting within the ASUS RT-AC68U Managing Web Interface

  Author: Joaquim Brasil de Oliveira  < palulabrasil () gmail com >
                                      < twitter.com/palulabr >

=====[Table of Contents]======================================================

1. Overview
2. Detailed description
3. Other contexts & solutions
4. Timeline
5. References

=====[1. Overview]============================================================

* Systems affected: ASUS RT-AC68U web interface - 3.0.0.4.374.4755 (verified)
                                                - 3.0.0.4.374_4887 (verified)
                                                - 3.0.0.4.374_4983 (verified)
                                             (other versions may be affected)

* Release date: 04/04/2014
* Impact: This vulnerability allows for performing attacks against third party
          users of the ASUS RT-AC68U web management platform, by luring them
          into clicking on a link provided with malicious content, which in
          turn, will execute on the context of the victim's browser.

The ASUS RT-AC68U is the world's fastest Wi-Fi router, with combined dual-band
data rates of up to 1900 Mbps. 1300 Mbps 802.11ac at 5 GHz gives Gigabit
wireless data rates, while Broadcom(R) TurboQAM(tm) technology super-charges 2.4 Ghz
802.11n performance from 450 Mbps to 600 Mbps with compatible devices[1].

=====[2. Detailed description]================================================

The ASUS RT-AC68U router has a web interface management tool designed to
graphically assist users in configuring various features and/or diagnosing
problems. However, there is a bug with the "Wireless" tab of this web management
interface that results in the possibility for an attacker to execute malicious
content within another user's browser by luring this given user (victim) into
visiting a specially crafted link.

Furthermore, in order to exploit this bug, the attacker needs to send the
following malicious link to the victim --- e.g: the router administrator:

https://[router's IP
address]/apply.cgi?next_page=Advanced_Wireless_Content.asp&current_page="><script>alert('XSS')</script><"&action_mode=change_wl_unit

When the victim clicks on the aforementioned link, because of the fact that the
"current_page" parameter is susceptible to refelected cross-site scripting
attacks, the malicious code stated in the given parameter will be executed ---
in this specific proof of concept, the code will trigger an alert box --- within
the victim's browser context.

This bug occurs because ASUS web management interface poorly validates data
output. Therefore, given the fact that HTML/Javascript code is interpreted by
browsers, the malicious code supplied by the attacker will be rendered in the
victim's browser.

It is important to mention that even if the victim is not logged in, whenever an
attacker sends the malicious link to her, the web management platform will
provide the authentication interface, and after that, redirect the victim to the
malicious target. So in order to exploit this vulnerability, the only
information the attacker needs to know, is a valid user within the system (e.g:
the router's administrator).

=====[3. Other contexts & solutions]==========================================

In order to erradicate this problem, it is imperative that the the server
enforces data output validation.

An additional measure regards filtering data input. Therefore, by applying both
these measures, all data input provided by third parties will be validated and
all data being ouputted by the server will also be validated.

=====[4. Timeline]============================================================

03/31/2014 - ASUS was contacted;
04/02/2014 - ASUS pushed a new beta firmware release (3.0.0.4.374_4983);
04/02/2014 - ASUS resolved issue in beta firmware release (3.0.0.4.374_5047);
04/04/2014 - ASUS pushed beta firmware 3.0.0.4.374_5047 from beta to stable;
04/04/2014 - Advisory publishing date.

=====[5. References]==========================================================

[1] http://www.asus.com/Networking/RTAC68U/
[2] http://www.asus.com/Networking/RTAC68U/#support