exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ASUS RT-N56U 3.0.0.4.374_239 Cross Site Scripting

ASUS RT-N56U 3.0.0.4.374_239 Cross Site Scripting
Posted Feb 4, 2016
Authored by Nicholas Lehman

ASUS RT-N56U version 3.0.0.4.374_239 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 87441652c6842207664db5e93c4cca7115dd476b58654fed698224aba77c8880

ASUS RT-N56U 3.0.0.4.374_239 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


# Exploit Title: ASUS RT-N56U Persistent XSS
# Date: 2/2/2016
# Exploit Author: @GraphX
# Vendor Homepage: http://asus.com/
# Version: 3.0.0.4.374_239

1 Description:
It is possible for an authenticated attacker to bypass input sanitation in
the username input field of the Server Center page. An interception proxy
is not required with the use of the developer console and changing the
field value of the username after the third verification task is complete,
and before the password sanitation begins in the modify_account.asp file.

Alternatively, an attacker can bypass client side sanitation all together
by submitting a valid option and then changing the parameters in an
interception proxy.

There is a small amount of server-side sanitation, but this is easily
circumvented by making sure (in this example) the field value ends up
looking like this. user"><img onerror=alert(1) src=blah> Keeping the the
src parameter as far to the right as possible appears to circumvent any
server-side sanitation attempts.

2 Proof of Concept

1)Login to router

2)navigate to:
http:/<router_IP>/aidisk/modify_account.asp?account=user&new_account=user<img
onclick="javascript:alert(1)"
src=blah>&new_password=123&confirm_password=123

3 Solution:
Don't buy ASUS Routers.
**********NOTE******************
Other router models are likely affected by this vulnerability as they
appear to share the same or similar firmware (example: RT-N66U).
I have been unable to confirm this theory as the vendor is unresponsive.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWsTQWAAoJEGoTpzhfiAPx1GQP/jTWI6Mv3S5I1IHkbxBfGsNZ
G2wGPGdfFlyG4SkJDnfGgADDFp22X6tded5sygfcHfI4zDephmyYezGJuo//Dfjj
SVpRWfkvezvnrJgnSe44JSKm9wLmthyZrTvYxBk44036g7z+bxZDxB/ueDaV029O
MRC22qG1LNSyuhOEoGsPKnfM4mk8OC7PlZBUCwuIAgbLBNLSFVRu7a87vwlZky4U
tr40vo/ca9Dxjufd5yBcWD5PgWANRb/rhu/sEOliu8UsYnjp5ce/46VgV6aRXLg0
KV9Dk3MBxiIF1mw8Si+8/A7yWyKvCMO7DPS2VWQnQThy4qaditumxUfGRddp19hQ
enHTmVnLEM5UpjIFRTZMYnTZgGnn6NChFlw7eIAsrp4e8nUHMvsi5rzk6l+uFfz4
y7kdRtUJx5n97znov1azTzR38PVqqbWhiQckA9Nj71ZfXhhAE4PKfz9vROflRnqx
++7uiqVFPdl67K+2Ux4jYfX20PR8c1Ewqq3IE13HLBM0resAu87Drx1cHGt3BcPN
xV/vb/mXsNJYro/aMfDlR9rfIfevgvgsZQZgS9Ho+ybgvJ64tD1COwp980U3ZxuE
O68tFIhXwxKazWUUTFrGZlPG7+j5gYZ/pScJb/pwcVZiPIFvtH32D0m2ln4ZNCpQ
PA6G2zdsMmYwlgVyx77Z
=d7Hq
-----END PGP SIGNATURE-----





Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    13 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    27 Files
  • 30
    Jul 30th
    49 Files
  • 31
    Jul 31st
    29 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close