-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


# Exploit Title: ASUS RT-N56U Persistent XSS
# Date: 2/2/2016
# Exploit Author: @GraphX
# Vendor Homepage: http://asus.com/
# Version: 3.0.0.4.374_239

1 Description:
It is possible for an authenticated attacker to bypass input sanitation in
the username input field of the Server Center page. An interception proxy
is not required with the use of the developer console and changing the
field value of the username after the third verification task is complete,
and before the password sanitation begins in the modify_account.asp file.

Alternatively, an attacker can bypass client side sanitation all together
by submitting a valid option and then changing the parameters in an
interception proxy.

There is a small amount of server-side sanitation, but this is easily
circumvented by making sure (in this example) the field value ends up
looking like this. user"><img onerror=alert(1) src=blah>  Keeping the the
src parameter as far to the right as possible appears to circumvent any
server-side sanitation attempts.

2 Proof of Concept

1)Login to router

2)navigate to:
http:/<router_IP>/aidisk/modify_account.asp?account=user&new_account=user<img
onclick="javascript:alert(1)"
src=blah>&new_password=123&confirm_password=123

3 Solution:
Don't buy ASUS Routers.
**********NOTE******************
Other router models are likely affected by this vulnerability as they
appear to share the same or similar firmware (example: RT-N66U).
I have been unable to confirm this theory as the vendor is unresponsive.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWsTQWAAoJEGoTpzhfiAPx1GQP/jTWI6Mv3S5I1IHkbxBfGsNZ
G2wGPGdfFlyG4SkJDnfGgADDFp22X6tded5sygfcHfI4zDephmyYezGJuo//Dfjj
SVpRWfkvezvnrJgnSe44JSKm9wLmthyZrTvYxBk44036g7z+bxZDxB/ueDaV029O
MRC22qG1LNSyuhOEoGsPKnfM4mk8OC7PlZBUCwuIAgbLBNLSFVRu7a87vwlZky4U
tr40vo/ca9Dxjufd5yBcWD5PgWANRb/rhu/sEOliu8UsYnjp5ce/46VgV6aRXLg0
KV9Dk3MBxiIF1mw8Si+8/A7yWyKvCMO7DPS2VWQnQThy4qaditumxUfGRddp19hQ
enHTmVnLEM5UpjIFRTZMYnTZgGnn6NChFlw7eIAsrp4e8nUHMvsi5rzk6l+uFfz4
y7kdRtUJx5n97znov1azTzR38PVqqbWhiQckA9Nj71ZfXhhAE4PKfz9vROflRnqx
++7uiqVFPdl67K+2Ux4jYfX20PR8c1Ewqq3IE13HLBM0resAu87Drx1cHGt3BcPN
xV/vb/mXsNJYro/aMfDlR9rfIfevgvgsZQZgS9Ho+ybgvJ64tD1COwp980U3ZxuE
O68tFIhXwxKazWUUTFrGZlPG7+j5gYZ/pScJb/pwcVZiPIFvtH32D0m2ln4ZNCpQ
PA6G2zdsMmYwlgVyx77Z
=d7Hq
-----END PGP SIGNATURE-----