-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # Exploit Title: ASUS RT-N56U Persistent XSS # Date: 2/2/2016 # Exploit Author: @GraphX # Vendor Homepage: http://asus.com/ # Version: 3.0.0.4.374_239 1 Description: It is possible for an authenticated attacker to bypass input sanitation in the username input field of the Server Center page. An interception proxy is not required with the use of the developer console and changing the field value of the username after the third verification task is complete, and before the password sanitation begins in the modify_account.asp file. Alternatively, an attacker can bypass client side sanitation all together by submitting a valid option and then changing the parameters in an interception proxy. There is a small amount of server-side sanitation, but this is easily circumvented by making sure (in this example) the field value ends up looking like this. user"> Keeping the the src parameter as far to the right as possible appears to circumvent any server-side sanitation attempts. 2 Proof of Concept 1)Login to router 2)navigate to: http://aidisk/modify_account.asp?account=user&new_account=user&new_password=123&confirm_password=123 3 Solution: Don't buy ASUS Routers. **********NOTE****************** Other router models are likely affected by this vulnerability as they appear to share the same or similar firmware (example: RT-N66U). I have been unable to confirm this theory as the vendor is unresponsive. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWsTQWAAoJEGoTpzhfiAPx1GQP/jTWI6Mv3S5I1IHkbxBfGsNZ G2wGPGdfFlyG4SkJDnfGgADDFp22X6tded5sygfcHfI4zDephmyYezGJuo//Dfjj SVpRWfkvezvnrJgnSe44JSKm9wLmthyZrTvYxBk44036g7z+bxZDxB/ueDaV029O MRC22qG1LNSyuhOEoGsPKnfM4mk8OC7PlZBUCwuIAgbLBNLSFVRu7a87vwlZky4U tr40vo/ca9Dxjufd5yBcWD5PgWANRb/rhu/sEOliu8UsYnjp5ce/46VgV6aRXLg0 KV9Dk3MBxiIF1mw8Si+8/A7yWyKvCMO7DPS2VWQnQThy4qaditumxUfGRddp19hQ enHTmVnLEM5UpjIFRTZMYnTZgGnn6NChFlw7eIAsrp4e8nUHMvsi5rzk6l+uFfz4 y7kdRtUJx5n97znov1azTzR38PVqqbWhiQckA9Nj71ZfXhhAE4PKfz9vROflRnqx ++7uiqVFPdl67K+2Ux4jYfX20PR8c1Ewqq3IE13HLBM0resAu87Drx1cHGt3BcPN xV/vb/mXsNJYro/aMfDlR9rfIfevgvgsZQZgS9Ho+ybgvJ64tD1COwp980U3ZxuE O68tFIhXwxKazWUUTFrGZlPG7+j5gYZ/pScJb/pwcVZiPIFvtH32D0m2ln4ZNCpQ PA6G2zdsMmYwlgVyx77Z =d7Hq -----END PGP SIGNATURE-----