Slashdot Mirror

← Back to Stories (view on slashdot.org)

Asus Wireless Routers Can Be Exploited By Anyone Inside the Network

Posted by timothy on from the coming-from-inside-the-building dept.

An anonymous reader writes A currently unpatched bug in ASUS wireless routers has been discovered whereby users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant. Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software. The vulnerability stems from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr runs with root privileges and contains an unauthenticated command execution vulnerability, in turn permitting anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router. In relevant part: The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake. Here are the technical details at GitHub.

9 of 68 comments (clear)

  1. The horror- by pecosdave · · Score: 5, Funny

    every HTTP request goes to a site that has nothing to do with goats!

    --
    The preceding post was not a Slashvertisement.
  2. DD-WRT? by Sir_Eptishous · · Score: 4, Insightful

    What about ASUS routers flashed with DD-WRT or Tomato or somesuch?

    --
    We play the game with the bravery of being out of range
    1. Re:DD-WRT? by hawguy · · Score: 4, Insightful

      Well that wouldn't be running the vulnerable service, now would it?

      That was his question.

      It's not obvious to everyone what runs in untouchable firmware (i..e a phone's baseband processor), what runs in the operating system, and what runs in application software. Just because someone knows enough to re-flash dd-wrt into a router, that doesn't mean that they know whether it's a full operating system or an application that runs on top of the router's firmware.

  3. lol kill the infosvr service with its own exploit. by Anonymous Coward · · Score: 5, Interesting

    Alternatively, disable the infosvr service by killing the process after each boot. For extra fun/irony, use the exploit to do this:

    $ ./asus-cmd "killall -9 infosvr"

  4. If you're running Merlin's ASUS-WRT by the_skywise · · Score: 5, Informative

    He's already got a temporary patch up which will disable the vulnerable feature. (He also shows a few other ways of securing the issue)

    http://forums.smallnetbuilder....

  5. The full file by Anonymous Coward · · Score: 3, Informative

    Here's the full file common.c for those who want to read the source code.

    What do you think about the code?

  6. our users are secure by sloach · · Score: 4, Informative

    My company makes a product that runs on ASUS routers. We've put in a workaround to this vulnerability for our users - see our blog post on the subject here: https://www.aterlo.com/blog/

  7. Vulnerable, where "somesuch" == AsusWRT-Merlin by raymorris · · Score: 4, Informative

    You can tell the other people who replied to you to suck it, because routers running alternative firmware ARE vulnerable if that alternative firmware is forked from asuswrt. AsusWRT-Merlin is one example, and is actually shown in TFA.

  8. Re:People still use wireless routers? by hawguy · · Score: 3, Informative

    Just connect an access point to an OpenBSD box, and this crap won't happen.

    Why will that prevent it from happening? Anyone that owns the access point can inspect and modify all of the traffic that passes through it.