Asus Wireless Routers Can Be Exploited By Anyone Inside the Network 68
An anonymous reader writes A currently unpatched bug in ASUS wireless routers has been discovered whereby
users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant. Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software. The vulnerability stems from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr runs with root privileges and contains an unauthenticated command execution vulnerability, in turn permitting anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router.
In relevant part: The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake.
Here are the technical details at GitHub.
The horror- (Score:5, Funny)
every HTTP request goes to a site that has nothing to do with goats!
DD-WRT? (Score:4, Insightful)
Re: (Score:1)
Well that wouldn't be running the vulnerable service, now would it?
Re:DD-WRT? (Score:5, Insightful)
Well that wouldn't be running the vulnerable service, now would it?
That was his question.
It's not obvious to everyone what runs in untouchable firmware (i..e a phone's baseband processor), what runs in the operating system, and what runs in application software. Just because someone knows enough to re-flash dd-wrt into a router, that doesn't mean that they know whether it's a full operating system or an application that runs on top of the router's firmware.
Re: (Score:3)
Exactly. My first assumption is that Tomato or DD-WRT would be safe from this attack but I'd rather hear it from someone who knows for sure. Who knows what drivers, bits of code or low-level firmware are reused between the two? Not me.
Vulnerable, where "somesuch" == AsusWRT-Merlin (Score:5, Informative)
You can tell the other people who replied to you to suck it, because routers running alternative firmware ARE vulnerable if that alternative firmware is forked from asuswrt. AsusWRT-Merlin is one example, and is actually shown in TFA.
Re: (Score:2)
I didn't know there were others other than Merlin that were based on the official firmware?
All the main culprits (DD-WRT, etc...) are completely immune of course.
Re: (Score:1)
They would be unaffected.
Contrary to the article, AsusWRT-Merlin has a patch available: http://asuswrt.lostrealm.ca/changelog
Re: (Score:3)
As does the Merlin fork if you're using that http://forums.smallnetbuilder.... [smallnetbuilder.com]
Re: (Score:2)
Re: (Score:2)
Have it repaired or get your money back. This shit has got to cost them.
Or, don't let untrusted users on your private network.
lol kill the infosvr service with its own exploit. (Score:5, Interesting)
Alternatively, disable the infosvr service by killing the process after each boot. For extra fun/irony, use the exploit to do this:
$ ./asus-cmd "killall -9 infosvr"
Re:People still use wireless routers? (Score:4, Informative)
Just connect an access point to an OpenBSD [openbsd.org] box, and this crap won't happen.
Why will that prevent it from happening? Anyone that owns the access point can inspect and modify all of the traffic that passes through it.
If you're running Merlin's ASUS-WRT (Score:5, Informative)
He's already got a temporary patch up which will disable the vulnerable feature. (He also shows a few other ways of securing the issue)
http://forums.smallnetbuilder.... [smallnetbuilder.com]
The full file (Score:3, Informative)
Here's the full file common.c [github.com] for those who want to read the source code.
What do you think about the code?
It's official ... (Score:3)
It looks like it's official, people who make networking gear are either incompetent or lazy.
Possibly both.
Re: (Score:3)
This has been the case for years. For ages and ages I've seen home routers with crappy firmware that results in bad connectivity. NAT table entries timing out too soon, inability to handle VPN traffic, crashes, lock-ups, performance slowdowns, the works.
This is why for years I've been running a full blown Linux machine as a router. Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garb
Re: (Score:1)
By what process? automated software, maybe as it's a suspicious comparison -- in fact, the compiler should emit a warning (0 isn't a void*). a human reading the code, unlikely.
Re: (Score:2)
Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.
Mainly because the market is very price sensitive and as a result routers tend to use some slow SOC with a minimal amount of RAM because it costs less. Linux or BSD wouldn't do you much good if every time someone fires up bittorrent, the NAT table fills because there just isn't enough RAM to handle it all. It has only been recently that I've seen routers with a decent amount of ram and even then that has been in the $150+ range while most people I know refer to spend $30 to $40.
Re: (Score:1)
It's often not the real amount of ram, but idiotic low limits on the connection table size -- 2048, 4096 -- even when there's plenty of ram for a larger table.
Re: (Score:2)
These Asus models use AsusWRT, a derivative of the Linux based OpenWRT [wikipedia.org]. All the source code is public, and there are even alternate builds [lostrealm.ca] that track Asus's code but with additional features. (The problem is fixed already in that one)
They are writing some major garbage in-house, like Asus's terrible AiCloud, but those are not the core routing features; those they just pull in from Linux. In this case, the bug is in the router side code that supports their "ASUS Wireless Router Device Discovery Utility".
Re: (Score:1)
Personally, I think the AiCloud features are nice in theory, but I also prefer the more standard options. AiCloud has companion android/ios apps for the less technically s
Re: (Score:3)
Occasional security vulnerabilities are inevitable, which means you always have to be careful what you're exposing to the world. AiCloud exposes way too much. The February disaster [arstechnica.com] showed why it's just a fundamentally flawed idea.
Re: (Score:1)
It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house
But that's the Thing.
They are running a Linux kernel, but stuffing around with how the system boots, what services are running on it (using their dodgy apps) and their incorrectly setup firewall rules.
Re: (Score:1)
The people who want to steal and hack their way into your network are in places like North Korea, China, Russia. Not sitting in your home accessing your network.
They just need to be within reach of your wireless signal. Could be one of the adjacent apartments, the house next door, or any "drive by"...
Interesting - I have 3 of these (Score:1)
Re: (Score:1)
Re: (Score:2)
Consider this scenario.
1. Evil hacker creates some malicious javascript that does three things: it attempts to connect to a local Asus router; upon finding one it reconfigures it to allow external access; after successfully hacking a router it opens a connection to his server to report another victim.
2. Evil hacker sets up a rogue WiFi hotspot in a coffee shop near your office, and lures people into connecting to his evil open proxy (check out the WiFi Pineapple if you want to see how such a device works, o
our users are secure (Score:4, Informative)
TMobile CellSpot routers are ASUS routers (Score:3)
So, i have a free-while-youre-with-tmobile router from TMobile. Its a NTAC68U with a custom firmware. The custom firmware IS vulnerable. But, the firmware is simplified, and doesn't have any way of getting a command line interface to run killall.
Im a geek, so I can reflash to Merlin or something like that. But most people with these routers will be non-technical folks. I hope the TMobile folks patch this quickly.
Re: (Score:1)
Use the exploit to get the privileges needed to clean up the vulnerability?
And remember folks (Score:2)
Comcast opening access to your router to people you don't know is nothing to worry about. What could possibly go wrong?
Re: (Score:2)
And that is why you don't use their router on your network.
From what I understand (I'm not a Comcast customer), Comcast is opening up the router they provide to offer wifi access to other Comcast customers. If you have your own router, this does not happen.
I do not understand why anyone would pay to rent a cable modem/router from the cable company--it makes no financial sense (ok if you are only at that location for ~10 months or less the rental is cheaper). The only reason you have to have their cable mo
Re: (Score:2)
This is true. I run my own router myself.
Not the only router with bugs.. (Score:1)