[Security issue]

[WaVeR]

Hi folks,

There's a PoC related to our routeur AC66U. The PoC was tested against Firmware 3.0.0.4.266. Other versions can be vulnerable too.

You can read more at: http://cxsecurity.com/issue/WLB-2013070209


# netstat -ln | grep 59
tcp 0 0 0.0.0.0:5916 0.0.0.0:* LISTEN

 

[kalmiya]

There is more then 1 security issue, take a look at this:

http://securityevaluators.com/content/case-studies/routers/soho_techreport.pdf

 

[RMerlin]

There is more then 1 security issue, take a look at this:

http://securityevaluators.com/content/case-studies/routers/soho_techreport.pdf

I think ISE has security issues of its own:

"ISE CONFIDENTIAL - NOT FOR DISTRIBUTION"

LOL

Otherwise, they make many very valid points - worth reading if you are technically minded enough to understand the document.

 

[bhall7]

What's disturbing is that whenever I logout of the web admin page to my AC-RT66U, I get the message that says "You have logged out successfully," however, if I just visit the URL of my router's admin page (or click the back button), it lets me right in without challenging me again for the username/password again. Essentially, the logout feature is fake or non-existent. Has anyone else ever noticed that? It seems like I have to manually delete cookies and session info in my browser before it will truly log me out. This makes the attack so much more likely to work, because there are still numerous active sessions sitting in potentially thousands of users' browser caches waiting to be leveraged by one click of a malicious link.

Hopefully, a firmware fix gets put in place that will actually log out or invalidate the current session when the user clicks the logout button. At least, that's my understanding of the issue. Is there something else that I may be missing?

 

[RMerlin]

What's disturbing is that whenever I logout of the web admin page to my AC-RT66U, I get the message that says "You have logged out successfully," however, if I just visit the URL of my router's admin page (or click the back button), it lets me right in without challenging me again for the username/password again. Essentially, the logout feature is fake or non-existent. Has anyone else ever noticed that? It seems like I have to manually delete cookies and session info in my browser before it will truly log me out.

No need to. Simply close the browser. The issue is that your browser still has the credentials cached, and automatically resubmits them, effectively relogging you.

The router doesn't use cookies for authentication, it's 100% reliant on HTTP basic Authentication, and the IP of the client.

 

[kalmiya]

I opened a case with Asus (Netherlands) with a reference to this document.
Their first reply essentially said to upgrade to the latest version 274 since that one usually contains fixes for such issues.

checked the firmware logs and there is no mention of any security fixes ( neither to buffer overflows, wrong file-permissions, no security check with smb, etc etc etc ). Neither any mention in 272.

I replied with the above text, let's see what they say. I guess if you care about your data being private ( especially keeping in mind certain instances gathering data about everything they can get their hands on) - everyone should contact ASUS about this issue, maybe that will put it on their 'important' list.

 

[RMerlin]

I opened a case with Asus (Netherlands) with a reference to this document.
Their first reply essentially said to upgrade to the latest version 274 since that one usually contains fixes for such issues.

checked the firmware logs and there is no mention of any security fixes ( neither to buffer overflows, wrong file-permissions, no security check with smb, etc etc etc ). Neither any mention in 272.

I replied with the above text, let's see what they say. I guess if you care about your data being private ( especially keeping in mind certain instances gathering data about everything they can get their hands on) - everyone should contact ASUS about this issue, maybe that will put it on their 'important' list.

The ACSD daemon is actually a Broadcom binary, so any security fix to it will probably have to come from Broadcom, not Asus.

 

[RMerlin]

Interesting. See the changelog for the RT-N12 D1 latest firmware:

http://www.asus.com/Networking/RTN12_D1/#support_Download_8

That confirms that Asus are aware of the problem at least.

EDIT: I see the same thing in the RT-AC66U 3.0.0.4.374_130. I will have to check what this service actually does, I wasn't expecting Asus to simply disable it.

 

[vdemarco]

Interesting. See the changelog for the RT-N12 D1 latest firmware:

http://www.asus.com/Networking/RTN12_D1/#support_Download_8

That confirms that Asus are aware of the problem at least.

EDIT: I see the same thing in the RT-AC66U 3.0.0.4.374_130. I will have to check what this service actually does, I wasn't expecting Asus to simply disable it.

I don't see acsd running on my router. I was assuming that since i have the b/g and the b/g protection (whatever) all turned off that the acsd daemon doesn't work.

 

[kalmiya]

Asus support seems to have no clue, below their reply:

"Not all fixes are shown in the release information on our website, so at first
we advise you to use the latest firwmare. When after updating to this latest
version there are still security issues don't hesitate to contact Asus Technical
Support again."

Freely translated: "Go test it yourself and leave us alone.". duh, I'm a consumer - I expect security issues to be fixed, not being told to test if flaws in their product are fixed.