Full Disclosure ASUS Wireless Routers Ten Models - Multiple Vulnerabilities on AiCloud enabled units

From: kyle Lovett <krlovett () gmail com>

Date: Sun, 14 Jul 2013 00:37:39 -0400


From: kyle Lovett <krlovett () gmail com>
Date: Sun, 14 Jul 2013 00:37:39 -0400


Note: In June I released a partial disclosure for just the RT-N66U on
the issue of directory traversal. I have only heard back from ASUS a
twice on the issue, and I understand they are working on a fix.
However, no serious attempt to our knowledge has been made to warn
their customers in the meantime, even after multiple requests from
several different security professionals.

Nor has ASUS posted a disclosure of these serious issues to new
potential customers on their AiCloud web adverts, since they still
advertise the product as an add-on with these routers, as a safe and
bug free home cloud solution.

Linux 2.6.xx kernel
All firmware versions known
Vulnerable Asus Models

RT-AC66R   Dual-Band Wireless-AC1750 Gigabit Router
RT-AC66U   Dual-Band Wireless-AC1750 Gigabit Router
RT-N66R     Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch
RT-N66U     Dual-Band Wireless-N900 Gigabit Router
RT-AC56U   Dual-Band Wireless-AC1200 Gigabit Router
RT-N56R     Dual-Band Wireless-AC1200 Gigabit Router
RT-N56U     Dual-Band Wireless-AC1200 Gigabit Router
RT-N14U     Wireless-N300 Cloud Router
RT-N16       Wireless-N300 Gigabit Router
RT-N16R     Wireless-N300 Gigabit Router

Vulnerabilities - Due in large part to an exposed $root share on the
NVRAM for Samba service, which was discovered in March of this year by
another researcher, on almost all of the above models that have
enabled AiCloud service, the end users will find themselves exposed to
multiple methods of attack and several dangerous remote exploits.

Since authentication can be simply bypassed on the those units running
HTTPS WebDav via directory traversal, access to all files which
control services on either side of the router are wide open to remote
manipulation. All pem and key files are also openly available.

Almost all models will disclose a clear text creational file, making
any MD5 hashing on the /etc/shadow file meaningless. This file below
remains easily accessible, and has no encryption. It may vary a bit in
where it sits on a small percentage of routers configured a certain

(The -L and -v switches are optional)

curl -v https://<IP>/smb/tmp/$dir/lighttpd/permissions -k -L
curl -v https://<IP>/smb/tmp/lighttpd/permissions -k -L

PPTP Tunnel-
VPN service can be enabled, configured and connected by altering a
five small files on any of the four models of the RT66 series routers.
Everything needed to achieve this can be found in the directory at
/smb/tmp/$dir/pptpd, and the pptpctrl file as well as pptpd service
are in the /sbin dir.

Local executable or modifiable scripts-
The files needed to create a Dropbear ssh service can be found at
/smb/tmp/etc/dropbear/ with its pid sitting in /var. In /smb/tmp/bin
and /smb/tmp/sbin sit well over a dozen executables such as netcat,
ftpget, logger, wol, tr and sendmail. Several services, two of which
being  /smb/sbin/vsftpd and /smb/sbin/telnetd can be configured or
altered there too. Other shell scripts, not native to the routers, can
be uploaded and used in an attack with little difficulty.

On the RT-N16 and N16R, once the https credentials are entered, an
attacker can easily move to the admin console on the LAN side by
changing the path to /index.asp. While the list of tools available to
an attacker might seem endless, there is no doubt that once the
AiCloud service is enabled, it would take just one person a few
minutes to completely control of all traffic coming in and out of the
LAN, gain access to all LAN side resources by a VPN or through another
service, and could choose to sniff packets, do a hard DoS or launch
attacks on other systems.

Mitigation and Workarounds-
Disable all UPnP services
Disable any and all of the three AiCloud items which will open the vulnerability
Remove any remote access to the router for administration until a patch is ready
Change the default username and password
If the AiCloud service is used, it would be advisable to change that
password if it was the same one used or the router



佚名 @ 2013-07-18 01:22:04