Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Bug Networking Wireless Networking Hardware

Asus Wireless Routers Can Be Exploited By Anyone Inside the Network 68

An anonymous reader writes A currently unpatched bug in ASUS wireless routers has been discovered whereby users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant. Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software. The vulnerability stems from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr runs with root privileges and contains an unauthenticated command execution vulnerability, in turn permitting anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router. In relevant part: The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake. Here are the technical details at GitHub.
This discussion has been archived. No new comments can be posted.

Asus Wireless Routers Can Be Exploited By Anyone Inside the Network

Comments Filter:
  • The horror- (Score:5, Funny)

    by pecosdave ( 536896 ) on Friday January 09, 2015 @10:14AM (#48774743) Homepage Journal

    every HTTP request goes to a site that has nothing to do with goats!

  • DD-WRT? (Score:4, Insightful)

    by Sir_Eptishous ( 873977 ) on Friday January 09, 2015 @10:15AM (#48774755)
    What about ASUS routers flashed with DD-WRT or Tomato or somesuch?
    • by Anonymous Coward

      Well that wouldn't be running the vulnerable service, now would it?

      • Re:DD-WRT? (Score:5, Insightful)

        by hawguy ( 1600213 ) on Friday January 09, 2015 @11:57AM (#48775697)

        Well that wouldn't be running the vulnerable service, now would it?

        That was his question.

        It's not obvious to everyone what runs in untouchable firmware (i..e a phone's baseband processor), what runs in the operating system, and what runs in application software. Just because someone knows enough to re-flash dd-wrt into a router, that doesn't mean that they know whether it's a full operating system or an application that runs on top of the router's firmware.

        • by Richy_T ( 111409 )

          Exactly. My first assumption is that Tomato or DD-WRT would be safe from this attack but I'd rather hear it from someone who knows for sure. Who knows what drivers, bits of code or low-level firmware are reused between the two? Not me.

    • by raymorris ( 2726007 ) on Friday January 09, 2015 @11:49AM (#48775615) Journal

      You can tell the other people who replied to you to suck it, because routers running alternative firmware ARE vulnerable if that alternative firmware is forked from asuswrt. AsusWRT-Merlin is one example, and is actually shown in TFA.

      • I didn't know there were others other than Merlin that were based on the official firmware?

        All the main culprits (DD-WRT, etc...) are completely immune of course.

    • by Anonymous Coward

      They would be unaffected.

      Contrary to the article, AsusWRT-Merlin has a patch available: http://asuswrt.lostrealm.ca/changelog

  • by Anonymous Coward on Friday January 09, 2015 @10:26AM (#48774833)

    Alternatively, disable the infosvr service by killing the process after each boot. For extra fun/irony, use the exploit to do this:

    $ ./asus-cmd "killall -9 infosvr"

  • by the_skywise ( 189793 ) on Friday January 09, 2015 @10:27AM (#48774847)

    He's already got a temporary patch up which will disable the vulnerable feature. (He also shows a few other ways of securing the issue)

    http://forums.smallnetbuilder.... [smallnetbuilder.com]

  • The full file (Score:3, Informative)

    by Anonymous Coward on Friday January 09, 2015 @10:31AM (#48774877)

    Here's the full file common.c [github.com] for those who want to read the source code.

    What do you think about the code?

  • by gstoddart ( 321705 ) on Friday January 09, 2015 @10:32AM (#48774889) Homepage

    It looks like it's official, people who make networking gear are either incompetent or lazy.

    Possibly both.

    • This has been the case for years. For ages and ages I've seen home routers with crappy firmware that results in bad connectivity. NAT table entries timing out too soon, inability to handle VPN traffic, crashes, lock-ups, performance slowdowns, the works.

      This is why for years I've been running a full blown Linux machine as a router. Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garb

      • by gmack ( 197796 )

        Plenty of performance and memory, never any issues. It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house.

        Mainly because the market is very price sensitive and as a result routers tend to use some slow SOC with a minimal amount of RAM because it costs less. Linux or BSD wouldn't do you much good if every time someone fires up bittorrent, the NAT table fills because there just isn't enough RAM to handle it all. It has only been recently that I've seen routers with a decent amount of ram and even then that has been in the $150+ range while most people I know refer to spend $30 to $40.

        • by Cramer ( 69040 )

          It's often not the real amount of ram, but idiotic low limits on the connection table size -- 2048, 4096 -- even when there's plenty of ram for a larger table.

      • These Asus models use AsusWRT, a derivative of the Linux based OpenWRT [wikipedia.org]. All the source code is public, and there are even alternate builds [lostrealm.ca] that track Asus's code but with additional features. (The problem is fixed already in that one)

        They are writing some major garbage in-house, like Asus's terrible AiCloud, but those are not the core routing features; those they just pull in from Linux. In this case, the bug is in the router side code that supports their "ASUS Wireless Router Device Discovery Utility".

        • Technically, AsusWRT is forked from Tomato. There is, however, openwrt based entware/optware package managers for MIPS and ARM based routers, respectively, when utilizing AsusWRT-Merlin. Asus also runs some additional packages via their own hosted optware repos, but these are generally outdated, with exception to certain core extras.

          Personally, I think the AiCloud features are nice in theory, but I also prefer the more standard options. AiCloud has companion android/ios apps for the less technically s
          • Occasional security vulnerabilities are inevitable, which means you always have to be careful what you're exposing to the world. AiCloud exposes way too much. The February disaster [arstechnica.com] showed why it's just a fundamentally flawed idea.

      • It makes me wonder why more router manufacturers don't use Linux or BSD derivatives for their firmware instead of writing garbage in-house

        But that's the Thing.
        They are running a Linux kernel, but stuffing around with how the system boots, what services are running on it (using their dodgy apps) and their incorrectly setup firewall rules.

  • However, if I read this correctly, you would have to have the network key or physical access to the router in order to use this exploit. I use mine with WPA2 authentication, and only give the key to trusted individuals. I don't care what brand of router you have access to...if I have physical access, I can compromise it. So, unless you're using one of these routers in a commercial environment (I do use mine for work, but not in the office setting) then there's little to worry about it. That said, I will
    • I suppose you could just be on the LAN, but why would you be on the LAN with an ASUS WiFi router and not have physical access to it?
    • by plover ( 150551 )

      Consider this scenario.

      1. Evil hacker creates some malicious javascript that does three things: it attempts to connect to a local Asus router; upon finding one it reconfigures it to allow external access; after successfully hacking a router it opens a connection to his server to report another victim.
      2. Evil hacker sets up a rogue WiFi hotspot in a coffee shop near your office, and lures people into connecting to his evil open proxy (check out the WiFi Pineapple if you want to see how such a device works, o

  • our users are secure (Score:4, Informative)

    by sloach ( 2609853 ) on Friday January 09, 2015 @11:19AM (#48775321)
    My company makes a product that runs on ASUS routers. We've put in a workaround to this vulnerability for our users - see our blog post on the subject here: https://www.aterlo.com/blog/ [aterlo.com]
  • So, i have a free-while-youre-with-tmobile router from TMobile. Its a NTAC68U with a custom firmware. The custom firmware IS vulnerable. But, the firmware is simplified, and doesn't have any way of getting a command line interface to run killall.

    Im a geek, so I can reflash to Merlin or something like that. But most people with these routers will be non-technical folks. I hope the TMobile folks patch this quickly.

  • Comcast opening access to your router to people you don't know is nothing to worry about. What could possibly go wrong?

    • And that is why you don't use their router on your network.

      From what I understand (I'm not a Comcast customer), Comcast is opening up the router they provide to offer wifi access to other Comcast customers. If you have your own router, this does not happen.

      I do not understand why anyone would pay to rent a cable modem/router from the cable company--it makes no financial sense (ok if you are only at that location for ~10 months or less the rental is cheaper). The only reason you have to have their cable mo

  • ..for example the Bewan iBox stores wlan passwords and remote access keys in plaintext, which can be dumped from internal network by anyone. Here is my notes [google.com] on the topic which I did report to CERT-FI in 12/2010.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...