Thursday, January 8, 2015

ASUS bug lets those on your local network own your wireless router

A few months ago, researcher Joshua Drake (better known as jduck) found a flaw in his ASUS RT-N66U. The flaw is documented as CVE-2014-9583. This week, proof of concept code (i.e. working example code) to exploit this flaw was published.

By sending a specially-crafted packet to udp port 9999, he was able to execute any commands (well, almost any ... the exploit is limited to 237 characters or it will overrun a buffer, likely crashing the router). This does not require being logged into the router - no need for an attacker to learn the administrator password.

Joshua found this on the RT-N66U, with firmware 3.0.0.376.2524-g0013f52 (current as of October); I've confirmed it also on the newest model RT-AC87U, running the latest 3.0.0.4.378_3754 firmware (released December 31).

ASUS is aware of the flaw and has a fixed version in testing, hopefully to release in a week or so. Until then though, developer Eric Sauvageau (better known as RMerlin) wrote a very simple command to use the router's own firewall to block exploit attempts. If you use his ASUSWRT-Merlin custom firmware, you likely already know how to add his commands to an init script to run automatically when the router boots.

If you stay with the stock firmware (i.e. the firmware provided by ASUS), here's a quick lesson. 

The stock ASUS firmware does not include a way to run custom scripts on startup, but it does include a way to run a custom script anytime a USB drive is mounted (which occurs shortly after bootup). You must do this logged in via telnet or SSH. The syntax to cause a script to run upon mounting a USB drive is:

nvram set script_usbmount="/jffs/scriptname" 
nvram commit

Create a file with the following lines per RMerlin:

#!/bin/sh
iptables -I INPUT -p udp --dport 9999 -j DROP

If you prefer, you can simply kill the infosvr process. I believe it is used by the router to discover other ASUS routers on the network - which is only necessary if you have a second router running in AP, Media Bridge, or Repeater mode, and even then serves no purpose once you know the address of each router.

#!/bin/sh
for pid in `ps -w | grep infosvr | grep -v grep | awk '{print $1}'`
do
   echo "killing $pid"
   kill $pid
done

Then set the nvram variable script_usbmount to the location of that file, and execute the file (or reboot the router so the file is executed on its own). Of course, since this is triggered upon mounting a USB drive, it does nothing if you don't have a USB drive attached ... that can easily be remedied by plugging in a cheap flash drive.

Or you can just go with Joshua's ironic suggestion and use the flaw itself to fix the flaw, exploiting the flaw to run this command anytime the router reboots :-)

Update January 12: ASUS released firmware 3.0.0.4.378_3885 today for the RT-AC87U and RT-AC87R; and firmware 3.0.0.4.376.3754 for earlier models including the RT-N66U. This firmware is confirmed to resolve the vulnerability.

At the moment, the fix is available from the manufacturer website but not yet added to the autoupdate process, so must be installed manually.