Slashdot Mirror

← Back to Stories (view on slashdot.org)

Asus Wireless Routers Can Be Exploited By Anyone Inside the Network

Posted by timothy on from the coming-from-inside-the-building dept.

An anonymous reader writes A currently unpatched bug in ASUS wireless routers has been discovered whereby users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant. Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software. The vulnerability stems from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr runs with root privileges and contains an unauthenticated command execution vulnerability, in turn permitting anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router. In relevant part: The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake. Here are the technical details at GitHub.

35 of 68 comments (clear)

  1. The horror- by pecosdave · · Score: 5, Funny

    every HTTP request goes to a site that has nothing to do with goats!

    --
    The preceding post was not a Slashvertisement.
  2. DD-WRT? by Sir_Eptishous · · Score: 4, Insightful

    What about ASUS routers flashed with DD-WRT or Tomato or somesuch?

    --
    We play the game with the bravery of being out of range
    1. Re:DD-WRT? by Anonymous Coward · · Score: 1

      Well that wouldn't be running the vulnerable service, now would it?

    2. Re:DD-WRT? by hawguy · · Score: 4, Insightful

      Well that wouldn't be running the vulnerable service, now would it?

      That was his question.

      It's not obvious to everyone what runs in untouchable firmware (i..e a phone's baseband processor), what runs in the operating system, and what runs in application software. Just because someone knows enough to re-flash dd-wrt into a router, that doesn't mean that they know whether it's a full operating system or an application that runs on top of the router's firmware.

    3. Re:DD-WRT? by Anonymous Coward · · Score: 1

      They would be unaffected.

      Contrary to the article, AsusWRT-Merlin has a patch available: http://asuswrt.lostrealm.ca/changelog

    4. Re:DD-WRT? by Richy_T · · Score: 2

      Exactly. My first assumption is that Tomato or DD-WRT would be safe from this attack but I'd rather hear it from someone who knows for sure. Who knows what drivers, bits of code or low-level firmware are reused between the two? Not me.

    5. Re:DD-WRT? by MrWeelson · · Score: 2

      As does the Merlin fork if you're using that http://forums.smallnetbuilder....

  3. lol kill the infosvr service with its own exploit. by Anonymous Coward · · Score: 5, Interesting

    Alternatively, disable the infosvr service by killing the process after each boot. For extra fun/irony, use the exploit to do this:

    $ ./asus-cmd "killall -9 infosvr"

  4. If you're running Merlin's ASUS-WRT by the_skywise · · Score: 5, Informative

    He's already got a temporary patch up which will disable the vulnerable feature. (He also shows a few other ways of securing the issue)

    http://forums.smallnetbuilder....

  5. The full file by Anonymous Coward · · Score: 3, Informative

    Here's the full file common.c for those who want to read the source code.

    What do you think about the code?

  6. It's official ... by gstoddart · · Score: 2

    It looks like it's official, people who make networking gear are either incompetent or lazy.

    Possibly both.

    --
    Lost at C:>. Found at C.
    1. Re:It's official ... by ZorinLynx · · Score: 2

      This has been the case for years. For ages and ages I've seen home routers with crappy firmware that results in bad connectivity. NAT table entries timing out too soon, inability to handle VPN traffic, crashes, lock-ups, performance slowdowns, the works.

      This is why for years I've been running a full blown Linux machine as a router. Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.

    2. Re:It's official ... by gmack · · Score: 1

      Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.

      Mainly because the market is very price sensitive and as a result routers tend to use some slow SOC with a minimal amount of RAM because it costs less. Linux or BSD wouldn't do you much good if every time someone fires up bittorrent, the NAT table fills because there just isn't enough RAM to handle it all. It has only been recently that I've seen routers with a decent amount of ram and even then that has been in the $150+ range while most people I know refer to spend $30 to $40.

    3. Re:It's official ... by greg1104 · · Score: 1

      These Asus models use AsusWRT, a derivative of the Linux based OpenWRT. All the source code is public, and there are even alternate builds that track Asus's code but with additional features. (The problem is fixed already in that one)

      They are writing some major garbage in-house, like Asus's terrible AiCloud, but those are not the core routing features; those they just pull in from Linux. In this case, the bug is in the router side code that supports their "ASUS Wireless Router Device Discovery Utility".

    4. Re:It's official ... by SinShiva · · Score: 1

      Technically, AsusWRT is forked from Tomato. There is, however, openwrt based entware/optware package managers for MIPS and ARM based routers, respectively, when utilizing AsusWRT-Merlin. Asus also runs some additional packages via their own hosted optware repos, but these are generally outdated, with exception to certain core extras.

      Personally, I think the AiCloud features are nice in theory, but I also prefer the more standard options. AiCloud has companion android/ios apps for the less technically saavy.

    5. Re:It's official ... by greg1104 · · Score: 2

      Occasional security vulnerabilities are inevitable, which means you always have to be careful what you're exposing to the world. AiCloud exposes way too much. The February disaster showed why it's just a fundamentally flawed idea.

    6. Re:It's official ... by Cramer · · Score: 1

      would have been catched by proper code auditing.

      By what process? automated software, maybe as it's a suspicious comparison -- in fact, the compiler should emit a warning (0 isn't a void*). a human reading the code, unlikely.

    7. Re:It's official ... by Cramer · · Score: 1

      It's often not the real amount of ram, but idiotic low limits on the connection table size -- 2048, 4096 -- even when there's plenty of ram for a larger table.

    8. Re:It's official ... by aduxorth · · Score: 1

      It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house

      But that's the Thing.
      They are running a Linux kernel, but stuffing around with how the system boots, what services are running on it (using their dodgy apps) and their incorrectly setup firewall rules.

  7. Interesting - I have 3 of these by kdub007 · · Score: 1

    However, if I read this correctly, you would have to have the network key or physical access to the router in order to use this exploit. I use mine with WPA2 authentication, and only give the key to trusted individuals. I don't care what brand of router you have access to...if I have physical access, I can compromise it. So, unless you're using one of these routers in a commercial environment (I do use mine for work, but not in the office setting) then there's little to worry about it. That said, I will be updating my firmware with the fix ASAP.

    --
    The correct answer is 42.
    1. Re:Interesting - I have 3 of these by kdub007 · · Score: 1

      I suppose you could just be on the LAN, but why would you be on the LAN with an ASUS WiFi router and not have physical access to it?

      --
      The correct answer is 42.
    2. Re:Interesting - I have 3 of these by plover · · Score: 1

      Consider this scenario.

      1. Evil hacker creates some malicious javascript that does three things: it attempts to connect to a local Asus router; upon finding one it reconfigures it to allow external access; after successfully hacking a router it opens a connection to his server to report another victim.
      2. Evil hacker sets up a rogue WiFi hotspot in a coffee shop near your office, and lures people into connecting to his evil open proxy (check out the WiFi Pineapple if you want to see how such a device works, or if you just want to purchase one.)
      3. The evil proxy injects the javascript into the bottom of whatever pages the victims visit, and modifies the cache-control directives to cache those pages for a long time. This is called a cache poisoning attack.
      4. The evil hacker waits for one of those victims to return to your office with their poisoned laptop, reconnect to your network, open their browser, and re-visit one of the poisoned sites in their cache. The malware script launches in the user's browser, attacks your router from within the trusted side of your network, then visits his site to report "mission accomplished, here's the IP address of another hacked router." All of this is of course invisible to the average random coffee-drinking employee.
      5. ???
      6. I don't know exactly what happens in step 5, but it is likely nothing you would consider good.

      This type of attack was fairly common when google was using http instead of https, and evil proxy operators could count on lots of people visiting the google page. It's still easy enough to do, and remains one of the biggest risks of trusting any unsecured wifi networks.

      More often than not, the evil hackers are just phishing for random victims. But by setting up his access point in a coffee shop frequented by your employees, this is one way the evil hacker could target you specifically.

      --
      John
  8. our users are secure by sloach · · Score: 4, Informative

    My company makes a product that runs on ASUS routers. We've put in a workaround to this vulnerability for our users - see our blog post on the subject here: https://www.aterlo.com/blog/

  9. Vulnerable, where "somesuch" == AsusWRT-Merlin by raymorris · · Score: 4, Informative

    You can tell the other people who replied to you to suck it, because routers running alternative firmware ARE vulnerable if that alternative firmware is forked from asuswrt. AsusWRT-Merlin is one example, and is actually shown in TFA.

    1. Re:Vulnerable, where "somesuch" == AsusWRT-Merlin by cheater512 · · Score: 1

      I didn't know there were others other than Merlin that were based on the official firmware?

      All the main culprits (DD-WRT, etc...) are completely immune of course.

  10. Re:Return to vendor by hawguy · · Score: 1

    Have it repaired or get your money back. This shit has got to cost them.

    Or, don't let untrusted users on your private network.

  11. Re:People still use wireless routers? by hawguy · · Score: 3, Informative

    Just connect an access point to an OpenBSD box, and this crap won't happen.

    Why will that prevent it from happening? Anyone that owns the access point can inspect and modify all of the traffic that passes through it.

  12. Re:Not a big deal by sicapo · · Score: 1

    The people who want to steal and hack their way into your network are in places like North Korea, China, Russia. Not sitting in your home accessing your network.

    They just need to be within reach of your wireless signal. Could be one of the adjacent apartments, the house next door, or any "drive by"...

  13. TMobile CellSpot routers are ASUS routers by cant_get_a_good_nick · · Score: 2

    So, i have a free-while-youre-with-tmobile router from TMobile. Its a NTAC68U with a custom firmware. The custom firmware IS vulnerable. But, the firmware is simplified, and doesn't have any way of getting a command line interface to run killall.

    Im a geek, so I can reflash to Merlin or something like that. But most people with these routers will be non-technical folks. I hope the TMobile folks patch this quickly.

    1. Re:TMobile CellSpot routers are ASUS routers by phorm · · Score: 1

      Use the exploit to get the privileges needed to clean up the vulnerability?

  14. And remember folks by Richy_T · · Score: 1

    Comcast opening access to your router to people you don't know is nothing to worry about. What could possibly go wrong?

    1. Re:And remember folks by TuballoyThunder · · Score: 1

      And that is why you don't use their router on your network.

      From what I understand (I'm not a Comcast customer), Comcast is opening up the router they provide to offer wifi access to other Comcast customers. If you have your own router, this does not happen.

      I do not understand why anyone would pay to rent a cable modem/router from the cable company--it makes no financial sense (ok if you are only at that location for ~10 months or less the rental is cheaper). The only reason you have to have their cable modem/router is if you get phone service from them, though getting phone service from the cable company is just crazy (in my humble opinion).

      If you have to use a cable company provided modem/router, buy your own router and put your network behind your router.

    2. Re:And remember folks by Richy_T · · Score: 1

      This is true. I run my own router myself.

  15. Re:Return to vendor by BronsCon · · Score: 1

    Today's drive by wire vehicles don't have throttle cables. The faulty logic driving the throttle servo can be fixed with an OTA tho.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  16. Not the only router with bugs.. by jppiiroinen · · Score: 1

    ..for example the Bewan iBox stores wlan passwords and remote access keys in plaintext, which can be dumped from internal network by anyone. Here is my notes on the topic which I did report to CERT-FI in 12/2010.