ASMAX 804 gu router Unauthenticated Maintenance Script Vulnerability

vendor:

AR-804GU

by:

milw0rm.com

7,5

CVSS

HIGH

Unauthenticated Maintenance Script

CWE

Product Name: AR-804GU

Affected Version From: 66.34.1

Affected Version To: 66.34.1

Patch Exists: NO

Related CWE: N/A

CPE: h:asmax:ar-804gu

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

ASMAX 804 gu router Unauthenticated Maintenance Script Vulnerability

ASMAX 804 gu router is a SOHO class device which provides ADSL / WiFi / Ethernet interfaces. There is an unauthenticated maintenance script (named 'script') in /cgi-bin/ directory of the web management interface. When 'system' paramether is passed to the script it allows running OS shell commands (as root). Using CSRF attack one could remotely own a router using for example simple <img> html tags pointing to http://192.168.1.1/...

Mitigation:

The vendor should patch the vulnerability by removing the unauthenticated maintenance script from the web management interface.

Source

Exploit-DB raw data:

1. ASMAX 804 gu router is a SOHO class device. It provides ADSL / WiFi / Ethernet interfaces.

2. There is an *unauthenticated* maintenance script (named 'script') in /cgi-bin/ directory of the web management interface.

3. When 'system' paramether is passed to the script it allows running OS shell commands (as root).

4. PoC:
GET request to:
http://192.168.1.1/cgi-bin/script?system%20whoami

Returns:
root

5. Using CSRF attack one could remotely own a router using for example simple <img> html tags pointing to http://192.168.1.1/...

6. The issue was tested on firmware: 66.34.1

7. The vendor was notified on 30.12.08, but we got no reasonable response till now (the bug remains unpatched).

8. More information: http://www.securitum.pl/dh/asmax-ar-804-gu-compromise

# milw0rm.com [2009-06-01]