Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VULNERABLE FIRMWARE MAKES ASUS ROUTERS SUBJECT TO ATTACK


  • Please log in to reply
11 replies to this topic

#1 Bluediamond

Bluediamond

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:NASA
  • Local time:11:31 AM

Posted 12 January 2015 - 07:55 PM

Wireless router models running the Asuswrt firmware are vulnerable to attacks where blackhat hackers can completely compromise the devices if the attack is launched from within the local networks of the routers.
 
Infosvr, the service running on the routers, is used by the Asus Wireless Router Device Discovery Utility tools and it is the source of this flaw. Infosvr listens to packets that are sent to the router’s local are network interface over a UDO broadcast port 9999.
 
Blackhat Hackers can’t make use of this flaw of the internet but they can control the routers if:
 
* They manage to get into a device connected to the routers
* They manage to connect to the LAN in one way or another
* They manage to get to any local computer that already has the malware on it.
 
Routers are one of the most sought after target for hackers because once they compromise a router, they can get access to networks and get into other devices on the network. Routers are also easier to hack since they have no virus detection programs running on them.
“This service runs with root privileges and contains an unauthenticated command execution vulnerability,” security researcher Joshua Drake, who found the vulnerability, said on his GitHub account.
 
Controlling routers for a hacker means being able to monitor and modify all incoming and outgoing traffic for every other device connected to those routers.
 
Asus has yet to release an update to fix the issue with the routers but there are some ways to block such exploits in the meantime until firmware updates are released. One of them is to create a firewall rule that blocks UDP port 9999 on the affected router like this:
* Connect to the router via Telnet
* Type “iptables -I INPUT -p udp —dport 9999 -j DROP” (without the quotes)
 
This will block the said port but it will have to be redone with every reboot of the router.
Another option that is more permanent would be to upgrade to version 376.49_5 of the Merlin firmware. This version actually contains a fix for the exploit.
 
THE LATEST MERLIN FIRMWARE IS NOW AVAILABLE.

 

NOTE: ASUS HAS ALSO RELEASED THEIR OWN PATCH FOR THIS SECURITY ISSUE.

 

 

WARNING!!!!

"Installing custom firmware can void the device warranty and should only be done by owners or authorized users who understand the process involved. And that those individuals accept all the risks associated with this procedure, including the possibility that their device might become permanently damaged."


Edited by Bluediamond, 12 January 2015 - 11:49 PM.
link disabled


BC AdBot (Login to Remove)

 


#2 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:07:31 AM

Posted 12 January 2015 - 08:03 PM

Am I the only one that finds it to be alarming that you can just telnet into your router, usually without authentication? These sort of things are easily abused to get administration access and/or a root shell.


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#3 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:06:31 AM

Posted 12 January 2015 - 08:46 PM

As you will notice a link in the first post has been disabled because it is custom firmware hack. As of now, there is nothing from Asus that could be found. Hopefully Asus will supply a fix in the near future.

It should be noted that installing custom firmware can void the device warranty and should only be done by owners or authorized users who understand the process involved. And that those individuals accept all the risks associated with this procedure, including the possibility that their device might become permanently damaged.

EDIT TO ADD

ASUS has posted firmware updates as of today. Owners just need to go to ASUS and find their models and update the firmware.

EX: http://support.asus.com/Download.aspx?SLanguage=en&m=RT-N66U+(VER.B1)&p=11&s=2

ASUS RT-N66U Firmware version 3.0.0.4.376.3754
-Fixed infosvr security issue.
-Fixed Cross-site request forgery security issue
2015.01.12 update

Edited by Queen-Evie, 12 January 2015 - 08:50 PM.


#4 Bluediamond

Bluediamond
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:NASA
  • Local time:11:31 AM

Posted 12 January 2015 - 08:48 PM

Yes and No I have been using Asus routers since the first RT-N of the series and out of all the routers out there it is by far one of the most secure when it comes to people who know how to manage their own SOHO's I like the fact that you could use Telnet network and they have a great track record. I personally though have never used the network so i have always had that feature turned off and by default that feature is in the off mode you have to physically turn it on.

But yes it's a little sad that it was found through freaken UDP It would of made more sense to me in the TCP protocol. And even more astonishing was that it was port 9999.


Edited by Bluediamond, 12 January 2015 - 11:23 PM.


#5 Bluediamond

Bluediamond
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:NASA
  • Local time:11:31 AM

Posted 12 January 2015 - 08:51 PM

As you will notice a link in the first post has been disabled because it is custom firmware hack. As of now, there is nothing from Asus that could be found. Hopefully Asus will supply a fix in the near future.It should be noted that installing custom firmware can void the device warranty and should only be done by owners or authorized users who understand the process involved. And that those individuals accept all the risks associated with this procedure, including the possibility that their device might become permanently damaged.

I apologize I will make sure to add a disclaimer next time as well I was under the impression that a majority of the readers have some general Knowledge about their networks but that would be a asumumtion and it would be incorrect of me.

Also Merlin firmware is by no means a HACK it's uses the same Asus shell and just adds more tweaks features to the routers current and already well established firmware it's just a better way to give you the ability to have more control and since it's open has the ability to be able to be protected from exploits like these making it even more secure than a stock firmware.

Edited by Bluediamond, 12 January 2015 - 08:59 PM.


#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:04:31 AM

Posted 12 January 2015 - 08:53 PM

More information. Most of this news was reported two days ago, and the firmware posted is not from ASUS.

I just found as of 5 minutes ago that ASUS has posted firmware fixes today. I don't know when they were posted today but they show todays date.

As an example for the RT-N66U which is one of the listed routers.

http://support.asus.com/Download.aspx?SLanguage=en&m=RT-N66U+(VER.B1)&p=11&s=2

ASUS RT-N66U Firmware version 3.0.0.4.376.3754
-Fixed infosvr security issue.
-Fixed Cross-site request forgery security issue
File Size 25,81 (MBytes) 2015.01.12 update

Is listed.

I suggest you get the proper firmware for your device from ASUS.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:06:31 AM

Posted 12 January 2015 - 09:26 PM

I apologize I will make sure to add a disclaimer next time as well I was under the impression that a majority of the readers have some general Knowledge about their networks but that would be a asumumtion and it would be incorrect of me.


Some of the readers will have that general knowledge. Others will not. Someone who is not knowledgable could stumble upon this topic and panic because they have an Asus router. They would have no clue whether what you provided is good or bad. In their panic and zeal they will try anything. Suppose something went wrong? Would you be able to help them undo the damage? Would they blame you or Bleeping Computer as a whole because we allowed the link? Nothing is 100% guaranteed.

Bleeping Computer staff made the decision to disable the link and recommend using the Asus link, which has been posted twice.

#8 Zach6656

Zach6656

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:31 AM

Posted 12 January 2015 - 09:41 PM

Why i use DD-WRT on cheap netgear routers i have a $16 refurb highly brickable... just IP updated it :P


always use DD-WRT for all your routers, if you cant get it for them, throw them away


#9 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,082 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:31 PM

Posted 12 January 2015 - 09:54 PM

 

Asus has yet to release an update to fix the issue with the routers but there are some ways to block such exploits in the meantime until firmware updates are released. One of them is to create a firewall rule that blocks UDP port 9999 on the affected router like this:
* Connect to the router via Telnet
* Type “iptables -I INPUT -p udp —dport 9999 -j DROP” (without the quotes)

 

 and it's not persistent across  reboots, So would need to be done every time the router restarts. Kinda like firmware updates not so easy for novices.


Edited by NickAu, 12 January 2015 - 09:58 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#10 Bluediamond

Bluediamond
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:NASA
  • Local time:11:31 AM

Posted 12 January 2015 - 10:39 PM

N/A

Edited by Bluediamond, 12 January 2015 - 10:47 PM.


#11 Bluediamond

Bluediamond
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:NASA
  • Local time:11:31 AM

Posted 12 January 2015 - 10:54 PM

 

I apologize I will make sure to add a disclaimer next time as well I was under the impression that a majority of the readers have some general Knowledge about their networks but that would be a asumumtion and it would be incorrect of me.


Some of the readers will have that general knowledge. Others will not. Someone who is not knowledgable could stumble upon this topic and panic because they have an Asus router. They would have no clue whether what you provided is good or bad. In their panic and zeal they will try anything. Suppose something went wrong? Would you be able to help them undo the damage? Would they blame you or Bleeping Computer as a whole because we allowed the link? Nothing is 100% guaranteed.

Bleeping Computer staff made the decision to disable the link and recommend using the Asus link, which has been posted twice.

 

 

To answer your question YES i would as thats the purpose of this site to enlighten as well as educate call me a nice guy but i have helped many here on the past you can check my other posts on topics i have discovered and posted to help others. But again i will make sure to be a bit more thorough in my explanations for the newer populations. 



#12 Bluediamond

Bluediamond
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:NASA
  • Local time:11:31 AM

Posted 12 January 2015 - 10:59 PM

 

 

Asus has yet to release an update to fix the issue with the routers but there are some ways to block such exploits in the meantime until firmware updates are released. One of them is to create a firewall rule that blocks UDP port 9999 on the affected router like this:
* Connect to the router via Telnet
* Type “iptables -I INPUT -p udp —dport 9999 -j DROP” (without the quotes)

 

 and it's not persistent across  reboots, So would need to be done every time the router restarts. Kinda like firmware updates not so easy for novices.

 

 

Correct thats why patching it would be a much better option but that would of been the only option for those who didn't have Merlin Firmware but according to Bleepin 'Animinion ASUS has released a patch today making this method obsolete.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users