CVE-2018-6000 – AsusWRT LAN - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-6000
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999. Se ha descubierto un problema en versiones anteriores a la 3.0.0.4.384_10007 de AsusWRT. La función do_vpnupload_post en router/httpd/web.c en vpnupload.cgi proporciona funcionalidades para establecer valores de configuración NVRAM, lo que permite que atacantes establezcan la contraseña de administrador e inicien un demonio SSH (o permitan el modo de comandos infosvr) y, en consecuencia, obtengan acceso remoto administrativo mediante una petición manipulada. • https://www.exploit-db.com/exploits/44176 https://www.exploit-db.com/exploits/43881 https://blogs.securiteam.com/index.php/archives/3589 https://github.com/pedrib/PoC/blob/master/advisories/asuswrt-lan-rce.txt https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt https://seclists.org/fulldisclosure/2018/Jan/78 • CWE-862: Missing Authorization •
CVE-2017-15654 – ASUSWRT 3.0.0.4.382.18495 Session Hijacking / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-15654
Highly predictable session tokens in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allow gaining administrative router access. Los tokens de sesión altamente predecibles en el servidor HTTPd en todas las versiones actuales (iguales o inferiores a 3.0.0.4.380.7743) de Asus asuswrt permiten obtener acceso administrativo al router. ASUSWRT versions 3.0.0.4.382.18495 and below suffer from predictable session tokens, failed IP validation, plain text password storage, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hijacking-Information-Disclosure.html http://seclists.org/fulldisclosure/2018/Jan/63 • CWE-330: Use of Insufficiently Random Values •
CVE-2017-15653 – ASUSWRT 3.0.0.4.382.18495 Session Hijacking / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-15653
Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string. La validación indebida de la IP del administrador tras iniciar sesión en el servidor HTTPd en todas las versiones actuales (iguales o inferiores a 3.0.0.4.380.7743) de Asus asuswrt permite que un usuario no autorizado ejecute cualquier acción conociendo el token de administrador mediante el uso de una cadena User-Agent específica. ASUSWRT versions 3.0.0.4.382.18495 and below suffer from predictable session tokens, failed IP validation, plain text password storage, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hijacking-Information-Disclosure.html http://seclists.org/fulldisclosure/2018/Jan/63 • CWE-613: Insufficient Session Expiration •
CVE-2017-15655 – ASUSWRT 3.0.0.4.382.18495 Session Hijacking / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-15655
Multiple buffer overflow vulnerabilities exist in the HTTPd server in Asus asuswrt version <=3.0.0.4.376.X. All have been fixed in version 3.0.0.4.378, but this vulnerability was not previously disclosed. Some end-of-life routers have this version as the newest and thus are vulnerable at this time. This vulnerability allows for RCE with administrator rights when the administrator visits several pages. Existen múltiples vulnerabilidades de desbordamiento de búfer en el servidor HTTPd en Asus asuswrt en versiones iguales o anteriores a la 3.0.0.4.376.X. • http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hijacking-Information-Disclosure.html http://seclists.org/fulldisclosure/2018/Jan/63 http://sploit.tech/2018/01/16/ASUS-part-I.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2017-15656 – ASUSWRT 3.0.0.4.382.18495 Session Hijacking / Information Disclosure
https://notcve.org/view.php?id=CVE-2017-15656
Password are stored in plaintext in nvram in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt. Las contraseñas se almacenan en texto plano en nvram en el servidor HTTPd en todas las versiones actuales (iguales o anteriores a la 3.0.0.4.380.7743) de Asus asuswrt. ASUSWRT versions 3.0.0.4.382.18495 and below suffer from predictable session tokens, failed IP validation, plain text password storage, and information disclosure vulnerabilities. • http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hijacking-Information-Disclosure.html http://seclists.org/fulldisclosure/2018/Jan/63 • CWE-522: Insufficiently Protected Credentials •