possible security holes with RT-N66U

[fr33z0n3r]

Figured folks would be interested, and hopefully Merlin can work his magic (but its not likely I know).

http://packetstormsecurity.com/files/122141/asus-traversal.txt

Recommendations from there:

"Mitigation and temporary fixes:

- Users need to be alerted to turn off AiCloud service immediately
- All Web access to both the http and https need to be halted until proven safe
- UPnP services need to be turned off (I'd say that a safe bet is for
all home routers to turn it off)
- Disable FTP and Samba services until the problem is fully
understood/patched if possible
- Enable the built in firewall, change authentication to be MD5 hashed
- CHANGE THE DEFAULT USERNAME AND PASSWORD!!!!
- End Users should try to avoid using the default gateway of
192.168.1.1 and pick something unusual
- Turn off IPSEC, PPTP and the other NAT passthroughs if the VPN is
not explicitly being utilized
- Upgrade to third party firmware, which appears from a few reports to
be immune to some extent (not proven or tested)"

 

[Pericynthion]

Thanks for the heads-up I'd say the this is the biggest concern/issue;

- Users need to be alerted to turn off AiCloud service immediately
- All Web access to both the http and https need to be halted until proven safe

All of the others I'd consider pretty standard measures anyway - i.e. run at your own risk, and only if you need them.

Sounds like the web service behind AIcloud could do with some 'tightening' up.

Don't suppose you have any recommendations for resolving (i.e. using a different version / configuration of httpd/lighttpd)?

 

[fr33z0n3r]

While I am in security, this is one of my weak areas. I'll defer to folks who have a clue.

The web attacks are concerning, but I was unable to confirm the issue since I have no device outside my fw right now I can use. So I simply disabled AiCloud.

Other then that, I would want to get an in-depth external scan of a device to find out what is happening.

 

[RMerlin]

I wish the author hadn't rambled on over 4 pages and gotten to the point - hard to determine exactly WHAT is the vector of attack.

I eventually managed to understand at least one of the issues he was talking about. Not much I can do about it unfortunately since AiCloud is partly closed-source, but I can point my Asus contact at this so they can further investigate it (along with a simpler test case for them to reproduce the issue).

In the meantime, yes, disabling AiCloud is probably a good idea. I was able to bypass authentication even under FW 372.

EDIT: Email sent to my contact, along with a simpler test case for him to reproduce the issue.

 

[Brouno]

I was able to access too without authent. asuswrt-merlin 3.0.0.4.359.29 Beta

AiCloud Deactivated !

 

[mich]

What options exactly do I deactivate in order do close the hole? I see several Aicloud-related options. Do I switch all of them off, effectively disabling all media server functionality also for my internal network, or is it possible to leave DLNA streaming intact on my LAN and just disable or block Aicloud for WAN-access?

 

[Brouno]

Just Cloud Disk in the AiCloud menu

 

[Pericynthion]

Under 'administration' / 'system' , make sure 'enable access from WAN' is set to. 'No'.

I'm pretty sure this kills it from my previous testing, but to be sure under 'AIcloud' set all the cloud disk, smart access and smart sync options to 'off'

 

[Pericynthion]

To Answer your other question, you should be ok leaving the media server options enabled to serve the internal LAN clients.

 

[Qanan]

What will really bake your noodle is the stuff I only disclosed to ASUS so far. Why even bother with hashing /shadow when they leave this in there?

curl https://<IP>/smb/tmp/$dir/lighttpd/permissions -k -L

Other stuff I won't disclose though, such as traversing to the admin panel is possible, even when the micro_httpd stuff is LAN facing only.

Long winded answer short is the $root sitting on the nvram, poking out to the WAN. Gives access to everything else, I'm sure you've grabbed the xmls?. Secure isolation never is actually possible until $root is dealt with someway.

 

[fr33z0n3r]

What will really bake your noodle is the stuff I only disclosed to ASUS so far. Why even bother with hashing /shadow when they leave this in there?

curl https://<IP>/smb/tmp/$dir/lighttpd/permissions -k -L

Other stuff I won't disclose though, such as traversing to the admin panel is possible, even when the micro_httpd stuff is LAN facing only.

Long winded answer short is the $root sitting on the nvram, poking out to the WAN. Gives access to everything else, I'm sure you've grabbed the xmls?. Secure isolation never is actually possible until $root is dealt with someway.

So, you were the source of this release? Or simply that you ALSO have vulns reported to ASUS?


Merlin - any idea if all similar devices would be vuln based on firmware level?

 

[RMerlin]

So, you were the source of this release? Or simply that you ALSO have vulns reported to ASUS?


Merlin - any idea if all similar devices would be vuln based on firmware level?

Since the issues (at least those I could verify) are related to AiCloud, then any device with AiCloud enabled is vulnerable.

I have nothing else to report on other potential security issues.

 

[Advis]

Has anybody heard back from ASUS regarding these vulnerabilities?

 

[cmoskowitz]

I can tell you for some reason, I have a ton of dropped packets from scans that are filling my syslog servers, China, Turkey, Netherlands. It got to the point I had to reboot my router. I only have openvpn running externally. I may shut it down, although they are not specifically targeting this. I find it odd given what is going on, almost like my wan ip has an asus fingerprint on it. Granted, I know this is all a coincidence (I hope)...

 

[RMerlin]

I can tell you for some reason, I have a ton of dropped packets from scans that are filling my syslog servers, China, Turkey, Netherlands. It got to the point I had to reboot my router. I only have openvpn running externally. I may shut it down, although they are not specifically targeting this. I find it odd given what is going on, almost like my wan ip has an asus fingerprint on it. Granted, I know this is all a coincidence (I hope)...

Port scanning has been part of the regular background noise for a long time. Doesn't mean you are targetted specifically. Most likely they are simply scanning the whole IP block that belongs to your ISP.

 

[cmoskowitz]

Oh I know Merlin, believe me. It is just odd the activity has seemed to pick up dramatically in the past week. I had to reboot my router for the first time since installing your build in over a month. I can't say scientifically if it was related to all of the dropped packets, but there is processing going on when a packet is dropped I supposed and there was so much, I felt like I was looking at my company's ASAs.

 

[RMerlin]

Expect a fixed AiCloud version in the very near future, for most of the routers with AiCloud enabled.

 

[fr33z0n3r]

Expect a fixed AiCloud version in the very near future, for most of the routers with AiCloud enabled.

I'm glad they are addressing it quickly after YOU contacted them. But... my sincere response:

............................................________........................
....................................,.-‘”...................``~.,..................
.............................,.-”...................................“-.,............
.........................,/...............................................”:,........
.....................,?......................................................\,.....
.................../...........................................................,}....
................./......................................................,:`^`..}....
.............../...................................................,:”........./.....
..............?.....__.........................................:`.........../.....
............./__.(.....“~-,_..............................,:`........../........
.........../(_....”~,_........“~,_....................,:`........_/...........
..........{.._$;_......”=,_.......“-,_.......,.-~-,},.~”;/....}...........
...........((.....*~_.......”=-._......“;,,./`..../”............../............
...,,,___.\`~,......“~.,....................`.....}............../.............
............(....`=-,,.......`........................(......;_,,-”...............
............/.`~,......`-...............................\....../\...................
.............\`~.*-,.....................................|,./.....\,__...........
,,_..........}.>-._\...................................|..............`=~-,....
.....`=~-,_\_......`\,.................................\........................
...................`=~-,,.\,...............................\.......................
................................`:,,...........................`\..............__..
.....................................`=-,...................,%`>--==``.......
........................................_\..........._,-%.......`\...............
...................................,<`.._|_,-&``................`\..............

 

[RMerlin]

I'm glad they are addressing it quickly after YOU contacted them. But... my sincere response:

I suspect they were already working on it before I contacted them, since they told me they knew about the issue when I emailed them. Me providing them with a specific test case might have just speeded up testing I suppose.

 

[Qanan]

So, you were the source of this release? Or simply that you ALSO have vulns reported to ASUS?


Merlin - any idea if all similar devices would be vuln based on firmware level?

The first problems were reported in Jan to ASUS by a researcher that found the xml's on the upnp port accessible. In March the $root problem was reported to them by another guy who found that $root had a built in PW which was also vulnerable. In June I reported to ASUS the proofs of how the earlier two findings could be exploited.

After a couple weeks I did not hear back from them until the morning of the first disclosure. I have made all my work and notes available to them. Others have asked they stop promoting the AiCloud service, until a fix is in place. Or perhaps a notice to their customers, like Cisco will often do.

Neither has happened. I'd bet a lot of money that the exploits were found by others perhaps as early as Dec 2012. My question to them is did they do any pen testing or in house security QA before releasing the products to the market?