Slashdot Mirror

← Back to Stories (view on slashdot.org)

Asus Wireless Routers Can Be Exploited By Anyone Inside the Network

Posted by timothy on from the coming-from-inside-the-building dept.

An anonymous reader writes A currently unpatched bug in ASUS wireless routers has been discovered whereby users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant. Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software. The vulnerability stems from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr runs with root privileges and contains an unauthenticated command execution vulnerability, in turn permitting anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router. In relevant part: The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake. Here are the technical details at GitHub.

15 of 68 comments (clear)

  1. The horror- by pecosdave · · Score: 5, Funny

    every HTTP request goes to a site that has nothing to do with goats!

    --
    The preceding post was not a Slashvertisement.
  2. DD-WRT? by Sir_Eptishous · · Score: 4, Insightful

    What about ASUS routers flashed with DD-WRT or Tomato or somesuch?

    --
    We play the game with the bravery of being out of range
    1. Re:DD-WRT? by hawguy · · Score: 4, Insightful

      Well that wouldn't be running the vulnerable service, now would it?

      That was his question.

      It's not obvious to everyone what runs in untouchable firmware (i..e a phone's baseband processor), what runs in the operating system, and what runs in application software. Just because someone knows enough to re-flash dd-wrt into a router, that doesn't mean that they know whether it's a full operating system or an application that runs on top of the router's firmware.

    2. Re:DD-WRT? by Richy_T · · Score: 2

      Exactly. My first assumption is that Tomato or DD-WRT would be safe from this attack but I'd rather hear it from someone who knows for sure. Who knows what drivers, bits of code or low-level firmware are reused between the two? Not me.

    3. Re:DD-WRT? by MrWeelson · · Score: 2

      As does the Merlin fork if you're using that http://forums.smallnetbuilder....

  3. lol kill the infosvr service with its own exploit. by Anonymous Coward · · Score: 5, Interesting

    Alternatively, disable the infosvr service by killing the process after each boot. For extra fun/irony, use the exploit to do this:

    $ ./asus-cmd "killall -9 infosvr"

  4. If you're running Merlin's ASUS-WRT by the_skywise · · Score: 5, Informative

    He's already got a temporary patch up which will disable the vulnerable feature. (He also shows a few other ways of securing the issue)

    http://forums.smallnetbuilder....

  5. The full file by Anonymous Coward · · Score: 3, Informative

    Here's the full file common.c for those who want to read the source code.

    What do you think about the code?

  6. It's official ... by gstoddart · · Score: 2

    It looks like it's official, people who make networking gear are either incompetent or lazy.

    Possibly both.

    --
    Lost at C:>. Found at C.
    1. Re:It's official ... by ZorinLynx · · Score: 2

      This has been the case for years. For ages and ages I've seen home routers with crappy firmware that results in bad connectivity. NAT table entries timing out too soon, inability to handle VPN traffic, crashes, lock-ups, performance slowdowns, the works.

      This is why for years I've been running a full blown Linux machine as a router. Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.

    2. Re:It's official ... by greg1104 · · Score: 2

      Occasional security vulnerabilities are inevitable, which means you always have to be careful what you're exposing to the world. AiCloud exposes way too much. The February disaster showed why it's just a fundamentally flawed idea.

  7. our users are secure by sloach · · Score: 4, Informative

    My company makes a product that runs on ASUS routers. We've put in a workaround to this vulnerability for our users - see our blog post on the subject here: https://www.aterlo.com/blog/

  8. Vulnerable, where "somesuch" == AsusWRT-Merlin by raymorris · · Score: 4, Informative

    You can tell the other people who replied to you to suck it, because routers running alternative firmware ARE vulnerable if that alternative firmware is forked from asuswrt. AsusWRT-Merlin is one example, and is actually shown in TFA.

  9. Re:People still use wireless routers? by hawguy · · Score: 3, Informative

    Just connect an access point to an OpenBSD box, and this crap won't happen.

    Why will that prevent it from happening? Anyone that owns the access point can inspect and modify all of the traffic that passes through it.

  10. TMobile CellSpot routers are ASUS routers by cant_get_a_good_nick · · Score: 2

    So, i have a free-while-youre-with-tmobile router from TMobile. Its a NTAC68U with a custom firmware. The custom firmware IS vulnerable. But, the firmware is simplified, and doesn't have any way of getting a command line interface to run killall.

    Im a geek, so I can reflash to Merlin or something like that. But most people with these routers will be non-technical folks. I hope the TMobile folks patch this quickly.