Now, this first one isn’t such a huge issue as it would require physical proximity to the router, at the same time that the user is trying to do a particular sort of set up.
But it does illustrate an interesting point about SSIDs and the fact that you shouldn’t trust any data that is coming from outside.
In the Wireless page, under “WDS”, it’s possible to enumerate existing wireless networks in your area. When these are written to the web page they are not fully sanitised or encoded so that it’s possible to get a tiny amount of HTML code into the 32 characters we have available.
For example, we can set up an SSID as follows using hostapd under Linux:
When the Remote AP List is looked at, we get a pop up as follows:
It can be extended to an arbitrary redirect using
This SSID then loads an IFRAME from http://xjs.io/a – which in turn changes the window location to http://www.dilbert.com/, but could equally be directing the user to a malicious page.
And remember, SSIDs can be 32 arbitrary characters, so take care when displaying them in web interfaces!
Part 2 – Exploiting open redirect, leading to creation of a new SMB user and Cross-Site Scripting
We start from a logged out router:
Then we can send an email like this to our victim:
The user then sees the page like this:
However, when they log in, the session is established, but then they are redirected to the attacker’s page http://xjs.io/.htm . (This is down at the moment, as I only put it up for a test case for ASUS.)
What this does is creates an IFRAME, which deals with spoofing the create user request. (So we could make this invisible if we wanted to…)
The IFRAME just makes the same POST request that the user would make if they were trying to add a user.
The main exploit page then redirects the user to the appropriate page for firmware update after a few seconds:
But, let’s have a look at the samba users –we’ve created this user:
All these issues have now been fixed, and so you should probably update to the latest firmware, or at least be careful about opening emails purporting to be from ASUS – or preferably both.