SecuriTeam - ASMAX AR 804 gu Web Management Console Injection Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

ASMAX 804 gu router is a SOHO class device. It provides ADSL / WiFi / Ethernet interfaces. There is an *unauthenticated* maintenance script (named 'script') in /cgi-bin/ directory of the web management interface. When 'system' paramether is passed to the script it allows running OS shell commands as root.

Credit:
The information has been provided by michal.sajdak at securitum.pl.
The original article can be found at: http://www.securitum.pl/dh/asmax-ar-804-gu-compromise

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* ASMAX 804 gu router version 66.34.1

Proof of concept:
Send a GET request to:
http://192.168.1.1/cgi-bin/script?system%20whoami

Which in turn returns:
Returns: root

Using CSRF attack one could remotely own a router using for example simple img html tags pointing to http://192.168.1.1/...

Disclosure Timeline:
30.12.08 vendor notified

	Real Networks RealPlayer Compressed GIF Handling Integer Overflow
	RealNetworks RealPlayer CMediumBlockAllocator Integer Overflow Vulnerability
	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution