Thursday, January 8, 2015

ASUS bug lets those on your local network own your wireless router

A few months ago, researcher Joshua Drake (better known as jduck) found a flaw in his ASUS RT-N66U. The flaw is documented as CVE-2014-9583. This week, proof of concept code (i.e. working example code) to exploit this flaw was published.

By sending a specially-crafted packet to udp port 9999, he was able to execute any commands (well, almost any ... the exploit is limited to 237 characters or it will overrun a buffer, likely crashing the router). This does not require being logged into the router - no need for an attacker to learn the administrator password.

Joshua found this on the RT-N66U, with firmware 3.0.0.376.2524-g0013f52 (current as of October); I've confirmed it also on the newest model RT-AC87U, running the latest 3.0.0.4.378_3754 firmware (released December 31).

ASUS is aware of the flaw and has a fixed version in testing, hopefully to release in a week or so. Until then though, developer Eric Sauvageau (better known as RMerlin) wrote a very simple command to use the router's own firewall to block exploit attempts. If you use his ASUSWRT-Merlin custom firmware, you likely already know how to add his commands to an init script to run automatically when the router boots.

If you stay with the stock firmware (i.e. the firmware provided by ASUS), here's a quick lesson. 

The stock ASUS firmware does not include a way to run custom scripts on startup, but it does include a way to run a custom script anytime a USB drive is mounted (which occurs shortly after bootup). You must do this logged in via telnet or SSH. The syntax to cause a script to run upon mounting a USB drive is:

nvram set script_usbmount="/jffs/scriptname" 
nvram commit

Create a file with the following lines per RMerlin:

#!/bin/sh
iptables -I INPUT -p udp --dport 9999 -j DROP

If you prefer, you can simply kill the infosvr process. I believe it is used by the router to discover other ASUS routers on the network - which is only necessary if you have a second router running in AP, Media Bridge, or Repeater mode, and even then serves no purpose once you know the address of each router.

#!/bin/sh
for pid in `ps -w | grep infosvr | grep -v grep | awk '{print $1}'`
do
   echo "killing $pid"
   kill $pid
done

Then set the nvram variable script_usbmount to the location of that file, and execute the file (or reboot the router so the file is executed on its own). Of course, since this is triggered upon mounting a USB drive, it does nothing if you don't have a USB drive attached ... that can easily be remedied by plugging in a cheap flash drive.

Or you can just go with Joshua's ironic suggestion and use the flaw itself to fix the flaw, exploiting the flaw to run this command anytime the router reboots :-)

Update January 12: ASUS released firmware 3.0.0.4.378_3885 today for the RT-AC87U and RT-AC87R; and firmware 3.0.0.4.376.3754 for earlier models including the RT-N66U. This firmware is confirmed to resolve the vulnerability.

At the moment, the fix is available from the manufacturer website but not yet added to the autoupdate process, so must be installed manually.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.