Asus Wireless Routers Can Be Exploited By Anyone Inside the Network

← Back to Stories (view on slashdot.org)

Asus Wireless Routers Can Be Exploited By Anyone Inside the Network

Posted by timothy on Friday January 9, 2015 @03:08AM from the coming-from-inside-the-building dept.

An anonymous reader writes A currently unpatched bug in ASUS wireless routers has been discovered whereby users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant. Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software. The vulnerability stems from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr runs with root privileges and contains an unauthenticated command execution vulnerability, in turn permitting anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router. In relevant part: The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake. Here are the technical details at GitHub.

68 comments

Min score:

Reason:

Sort:

The horror- by pecosdave · 2015-01-09 03:14 · Score: 5, Funny

every HTTP request goes to a site that has nothing to do with goats!

--
The preceding post was not a Slashvertisement.
1. Re:The horror- by Anonymous Coward · 2015-01-09 03:42 · Score: 0
  
  Could be worse. Each request could go to a site where goats *are* involved.
2. Re:The horror- by Anonymous Coward · 2015-01-10 11:10 · Score: 0
  
  That is, you didn't buy the ASUS because it's a perfect platform for DD-WRT or OpenWRT and haven't been running the ASUS firmware for longer than 5 minutes.
DD-WRT? by Sir_Eptishous · 2015-01-09 03:15 · Score: 4, Insightful

What about ASUS routers flashed with DD-WRT or Tomato or somesuch?

--
We play the game with the bravery of being out of range
1. Re:DD-WRT? by Anonymous Coward · 2015-01-09 03:22 · Score: 0
  
  Obviously they wouldn't be running that software service infosvr.
2. Re:DD-WRT? by Anonymous Coward · 2015-01-09 03:24 · Score: 1
  
  Well that wouldn't be running the vulnerable service, now would it?
3. Re:DD-WRT? by Anonymous Coward · 2015-01-09 03:38 · Score: 0, Flamebait
  
  Did you go to the Bennett Haselton school of technical incompetence?
4. Re:DD-WRT? by hawguy · 2015-01-09 04:57 · Score: 4, Insightful
  
  Well that wouldn't be running the vulnerable service, now would it?
  That was his question.
  It's not obvious to everyone what runs in untouchable firmware (i..e a phone's baseband processor), what runs in the operating system, and what runs in application software. Just because someone knows enough to re-flash dd-wrt into a router, that doesn't mean that they know whether it's a full operating system or an application that runs on top of the router's firmware.
5. Re:DD-WRT? by Anonymous Coward · 2015-01-09 06:28 · Score: 1
  
  They would be unaffected.
  Contrary to the article, AsusWRT-Merlin has a patch available: http://asuswrt.lostrealm.ca/changelog
6. Re:DD-WRT? by Richy_T · 2015-01-09 08:00 · Score: 2
  
  Exactly. My first assumption is that Tomato or DD-WRT would be safe from this attack but I'd rather hear it from someone who knows for sure. Who knows what drivers, bits of code or low-level firmware are reused between the two? Not me.
7. Re:DD-WRT? by Anonymous Coward · 2015-01-09 08:06 · Score: 0
  
  Moooooooooooooo! You cow!!! Cow!
8. Re:DD-WRT? by MrWeelson · 2015-01-09 08:29 · Score: 2
  
  As does the Merlin fork if you're using that http://forums.smallnetbuilder....
9. Re:DD-WRT? by Anonymous Coward · 2015-01-10 04:18 · Score: 0
  
  A cow goes moo! So do you! You are a cow! Mooooooooooooo!
lol kill the infosvr service with its own exploit. by Anonymous Coward · 2015-01-09 03:26 · Score: 5, Interesting

Alternatively, disable the infosvr service by killing the process after each boot. For extra fun/irony, use the exploit to do this:
$ ./asus-cmd "killall -9 infosvr"
If you're running Merlin's ASUS-WRT by the_skywise · 2015-01-09 03:27 · Score: 5, Informative

He's already got a temporary patch up which will disable the vulnerable feature. (He also shows a few other ways of securing the issue)
http://forums.smallnetbuilder....
Doesn't surprise me by Anonymous Coward · 2015-01-09 03:31 · Score: 0

Their motherboards turned to shit in the meantime as well.
The full file by Anonymous Coward · 2015-01-09 03:31 · Score: 3, Informative

Here's the full file common.c for those who want to read the source code.
What do you think about the code?
1. Re:The full file by Anonymous Coward · 2015-01-09 08:27 · Score: 0
  
  It's codey, but is not a lemon miringue pie.
It's official ... by gstoddart · 2015-01-09 03:32 · Score: 2

It looks like it's official, people who make networking gear are either incompetent or lazy.
Possibly both.

--
Lost at C:>. Found at C.
1. Re:It's official ... by ZorinLynx · 2015-01-09 03:52 · Score: 2
  
  This has been the case for years. For ages and ages I've seen home routers with crappy firmware that results in bad connectivity. NAT table entries timing out too soon, inability to handle VPN traffic, crashes, lock-ups, performance slowdowns, the works.
  This is why for years I've been running a full blown Linux machine as a router. Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.
2. Re:It's official ... by Anonymous Coward · 2015-01-09 04:12 · Score: 0
  
  It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.
  Um, a lot of do, including the ASUS routers that apply to this article. Linux or BSD will not save the day if the problem is that the manufacturer does not do proper quality assurance. They have to verify that everything integrates nicely and works properly.
  In this particular case, the memcpy() vs. memcmp() mistake would have been catched by proper code auditing.
3. Re:It's official ... by gmack · 2015-01-09 04:36 · Score: 1
  
  Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.
  Mainly because the market is very price sensitive and as a result routers tend to use some slow SOC with a minimal amount of RAM because it costs less. Linux or BSD wouldn't do you much good if every time someone fires up bittorrent, the NAT table fills because there just isn't enough RAM to handle it all. It has only been recently that I've seen routers with a decent amount of ram and even then that has been in the $150+ range while most people I know refer to spend $30 to $40.
4. Re:It's official ... by greg1104 · 2015-01-09 05:47 · Score: 1
  
  These Asus models use AsusWRT, a derivative of the Linux based OpenWRT. All the source code is public, and there are even alternate builds that track Asus's code but with additional features. (The problem is fixed already in that one)
  They are writing some major garbage in-house, like Asus's terrible AiCloud, but those are not the core routing features; those they just pull in from Linux. In this case, the bug is in the router side code that supports their "ASUS Wireless Router Device Discovery Utility".
5. Re:It's official ... by SinShiva · 2015-01-09 06:03 · Score: 1
  
  Technically, AsusWRT is forked from Tomato. There is, however, openwrt based entware/optware package managers for MIPS and ARM based routers, respectively, when utilizing AsusWRT-Merlin. Asus also runs some additional packages via their own hosted optware repos, but these are generally outdated, with exception to certain core extras.
  
  Personally, I think the AiCloud features are nice in theory, but I also prefer the more standard options. AiCloud has companion android/ios apps for the less technically saavy.
6. Re:It's official ... by Anonymous Coward · 2015-01-09 06:55 · Score: 0
  
  Moooooooooooooooooooooooooooooo! MOO!!!
  I say to you moo!
7. Re:It's official ... by greg1104 · 2015-01-09 07:22 · Score: 2
  
  Occasional security vulnerabilities are inevitable, which means you always have to be careful what you're exposing to the world. AiCloud exposes way too much. The February disaster showed why it's just a fundamentally flawed idea.
8. Re:It's official ... by Anonymous Coward · 2015-01-09 08:17 · Score: 0
  
  Mooooooooooo! You cow!! A cow you are! Mooo!
9. Re:It's official ... by Cramer · 2015-01-09 10:20 · Score: 1
  
  would have been catched by proper code auditing.
  By what process? automated software, maybe as it's a suspicious comparison -- in fact, the compiler should emit a warning (0 isn't a void*). a human reading the code, unlikely.
10. Re:It's official ... by Cramer · 2015-01-09 10:22 · Score: 1
  
  It's often not the real amount of ram, but idiotic low limits on the connection table size -- 2048, 4096 -- even when there's plenty of ram for a larger table.
11. Re:It's official ... by aduxorth · 2015-01-11 20:40 · Score: 1
  
  It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house
  But that's the Thing.
  They are running a Linux kernel, but stuffing around with how the system boots, what services are running on it (using their dodgy apps) and their incorrectly setup firewall rules.
Why only wink by Anonymous Coward · 2015-01-09 03:32 · Score: 0

when you know it's yet another, all-too-common bug? Say it. Say IT. SAY IT!
Not a big deal by Anonymous Coward · 2015-01-09 03:35 · Score: 0

Couple things that make this benign for most Asus owners. One is, much of Asus routers are consumer driven and two your talking about a person who would have to access that router locally as a end user. Not from the internet side of the router. This means you either are too dumb to use a password to control who accesses your network or you allow that user to access the local network with a password. I just do not see much exploitation of this simply because of the required local access needed. The people who want to steal and hack their way into your network are in places like North Korea, China, Russia. Not sitting in your home accessing your network.
1. Re:Not a big deal by Anonymous Coward · 2015-01-09 03:50 · Score: 0
  
  What makes you so stupid?
2. Re:Not a big deal by sicapo · 2015-01-09 05:21 · Score: 1
  
  The people who want to steal and hack their way into your network are in places like North Korea, China, Russia. Not sitting in your home accessing your network.
  They just need to be within reach of your wireless signal. Could be one of the adjacent apartments, the house next door, or any "drive by"...
3. Re:Not a big deal by Anonymous Coward · 2015-01-09 05:53 · Score: 0
  
  Being within reach isn't enough; they also need your WPA2 key.
Re:Return to vendor by Anonymous Coward · 2015-01-09 03:40 · Score: 0

Have it repaired or get your money back. This shit has got to cost them.
Automobile recalls in the future could be handled with OTA updates, but you insist on making it cost "them" by giving up your ability to transport yourself.
In return for you trying to prove a point, they'll keep your car for a week just to fuck with you, only to perform the 5-minute OTA update in front of you when you return.
But hey, stand your ground on the petty shit...
Useful by Anonymous Coward · 2015-01-09 03:50 · Score: 0

sounds like this could be useful to me since i just received an AC68U which does not accept the default username and passsword.
Are there detailed instructions on how to execute this exploit?
Re:Return to vendor by Anonymous Coward · 2015-01-09 03:54 · Score: 0

Yep. A software update is going to repair that faulty throttle cable.
I've a had a few recalls on my car and all have been hardware related.
Interesting - I have 3 of these by kdub007 · 2015-01-09 04:03 · Score: 1

However, if I read this correctly, you would have to have the network key or physical access to the router in order to use this exploit. I use mine with WPA2 authentication, and only give the key to trusted individuals. I don't care what brand of router you have access to...if I have physical access, I can compromise it. So, unless you're using one of these routers in a commercial environment (I do use mine for work, but not in the office setting) then there's little to worry about it. That said, I will be updating my firmware with the fix ASAP.

--
The correct answer is 42.
1. Re:Interesting - I have 3 of these by kdub007 · 2015-01-09 04:05 · Score: 1
  
  I suppose you could just be on the LAN, but why would you be on the LAN with an ASUS WiFi router and not have physical access to it?
  
  --
  The correct answer is 42.
2. Re:Interesting - I have 3 of these by Anonymous Coward · 2015-01-09 04:40 · Score: 0
  
  Given how much malware finds its way onto client machines via web browser and application vulnerabilities, a requirement to be on the network is not much of a safeguard.
  This is how "worms" work, using each new infected system as a beachhead to launch another round of probing and attacks to expand its territory. That compromised laptop, tablet, or mobile phone that your idiot coworker, child, or friend brings into the network is sufficient to allow these kinds of router vulnerabilities to be exploited in order to victimize more machines in that network.
3. Re:Interesting - I have 3 of these by plover · 2015-01-09 07:58 · Score: 1
  
  Consider this scenario.
  1. Evil hacker creates some malicious javascript that does three things: it attempts to connect to a local Asus router; upon finding one it reconfigures it to allow external access; after successfully hacking a router it opens a connection to his server to report another victim.
  2. Evil hacker sets up a rogue WiFi hotspot in a coffee shop near your office, and lures people into connecting to his evil open proxy (check out the WiFi Pineapple if you want to see how such a device works, or if you just want to purchase one.)
  3. The evil proxy injects the javascript into the bottom of whatever pages the victims visit, and modifies the cache-control directives to cache those pages for a long time. This is called a cache poisoning attack.
  4. The evil hacker waits for one of those victims to return to your office with their poisoned laptop, reconnect to your network, open their browser, and re-visit one of the poisoned sites in their cache. The malware script launches in the user's browser, attacks your router from within the trusted side of your network, then visits his site to report "mission accomplished, here's the IP address of another hacked router." All of this is of course invisible to the average random coffee-drinking employee.
  5. ???
  6. I don't know exactly what happens in step 5, but it is likely nothing you would consider good.
  This type of attack was fairly common when google was using http instead of https, and evil proxy operators could count on lots of people visiting the google page. It's still easy enough to do, and remains one of the biggest risks of trusting any unsecured wifi networks.
  More often than not, the evil hackers are just phishing for random victims. But by setting up his access point in a coffee shop frequented by your employees, this is one way the evil hacker could target you specifically.
  
  --
  John
Re:Return to vendor by Anonymous Coward · 2015-01-09 04:05 · Score: 0

This is not petty shit. If vendors are made to realize that shoddy software will cause them significant problems, they will improve their software quality. "We'll just patch bugs in the field" makes releases out of beta grade software. No, you won't patch that in the field. I'll return it to you and you having to handle that device will cost you more than I paid you for it. Learn the lesson or go out of business.
our users are secure by sloach · 2015-01-09 04:19 · Score: 4, Informative

My company makes a product that runs on ASUS routers. We've put in a workaround to this vulnerability for our users - see our blog post on the subject here: https://www.aterlo.com/blog/
1. Re:our users are secure by Anonymous Coward · 2015-01-09 09:12 · Score: 0
  
  So, your users *weren't* secure a couple of days ago. Got it.
Vulnerable, where "somesuch" == AsusWRT-Merlin by raymorris · 2015-01-09 04:49 · Score: 4, Informative

You can tell the other people who replied to you to suck it, because routers running alternative firmware ARE vulnerable if that alternative firmware is forked from asuswrt. AsusWRT-Merlin is one example, and is actually shown in TFA.
1. Re:Vulnerable, where "somesuch" == AsusWRT-Merlin by cheater512 · 2015-01-09 06:49 · Score: 1
  
  I didn't know there were others other than Merlin that were based on the official firmware?
  All the main culprits (DD-WRT, etc...) are completely immune of course.
2. Re:Vulnerable, where "somesuch" == AsusWRT-Merlin by Anonymous Coward · 2015-01-09 07:00 · Score: 0
  
  That's still ASUS software and not really OSS.
3. Re:Vulnerable, where "somesuch" == AsusWRT-Merlin by Anonymous Coward · 2015-01-15 00:48 · Score: 0
  
  Well, you can check this powerful wi-fi router http://wirelessroutersreviews.com/netgear-wpn824n-n150-wireless-router/ as well.
Re:Return to vendor by hawguy · 2015-01-09 04:59 · Score: 1

Have it repaired or get your money back. This shit has got to cost them.
Or, don't let untrusted users on your private network.
Re:People still use wireless routers? by hawguy · 2015-01-09 05:00 · Score: 3, Informative

Just connect an access point to an OpenBSD box, and this crap won't happen.
Why will that prevent it from happening? Anyone that owns the access point can inspect and modify all of the traffic that passes through it.
Re:lol kill the infosvr service with its own explo by Anonymous Coward · 2015-01-09 06:04 · Score: 0

This way asus-cmd is like systemd for Asus wireless routers.
TMobile CellSpot routers are ASUS routers by cant_get_a_good_nick · 2015-01-09 06:08 · Score: 2

So, i have a free-while-youre-with-tmobile router from TMobile. Its a NTAC68U with a custom firmware. The custom firmware IS vulnerable. But, the firmware is simplified, and doesn't have any way of getting a command line interface to run killall.
Im a geek, so I can reflash to Merlin or something like that. But most people with these routers will be non-technical folks. I hope the TMobile folks patch this quickly.
1. Re:TMobile CellSpot routers are ASUS routers by phorm · 2015-01-09 10:06 · Score: 1
  
  Use the exploit to get the privileges needed to clean up the vulnerability?
This is 10 years old (since ASUS WL-500g) by Anonymous Coward · 2015-01-09 07:50 · Score: 0

Old news. I've known about this unauthenticated code execution for 9 years (shortly after I got my WL-500g).
Here's a little utility I wrote years ago that exercises one of the benign opcodes, with the cmd execution opcode defined:
https://github.com/awalls-cx18/wl500g-infoclient/blob/master/infoclient.c#L55
Guess I didn't hype it up in the security circles properly.
And remember folks by Richy_T · 2015-01-09 08:02 · Score: 1

Comcast opening access to your router to people you don't know is nothing to worry about. What could possibly go wrong?
1. Re:And remember folks by TuballoyThunder · 2015-01-09 16:14 · Score: 1
  
  And that is why you don't use their router on your network.
  From what I understand (I'm not a Comcast customer), Comcast is opening up the router they provide to offer wifi access to other Comcast customers. If you have your own router, this does not happen.
  I do not understand why anyone would pay to rent a cable modem/router from the cable company--it makes no financial sense (ok if you are only at that location for ~10 months or less the rental is cheaper). The only reason you have to have their cable modem/router is if you get phone service from them, though getting phone service from the cable company is just crazy (in my humble opinion).
  If you have to use a cable company provided modem/router, buy your own router and put your network behind your router.
2. Re:And remember folks by Richy_T · 2015-01-14 07:30 · Score: 1
  
  This is true. I run my own router myself.
Re:It's neither ... by Anonymous Coward · 2015-01-09 09:15 · Score: 0

It's all about writing services that could be written in eg. C# in C or legacy-style C++. I'm not convinced that even the modern C++ styles are safe - there's still many more ways to do mistakes with regard to memory than in C#.
Re:Return to vendor by BronsCon · 2015-01-09 13:31 · Score: 1

Today's drive by wire vehicles don't have throttle cables. The faulty logic driving the throttle servo can be fixed with an OTA tho.

--
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Not the only router with bugs.. by jppiiroinen · 2015-01-13 19:35 · Score: 1

..for example the Bewan iBox stores wlan passwords and remote access keys in plaintext, which can be dumped from internal network by anyone. Here is my notes on the topic which I did report to CERT-FI in 12/2010.