Almost all ASUS routers are vulnerable to password stealing or remote code execution

Reported in November 2017, four vulnerabilities (CVE-2017-15655, CVE-2017-15653, CVE-2017-15654, CVE-2017-15656) by Błażej Adamczyk (br0x) allow an attacker to remotely run a code that will reveal the router administrator's credentials . Starting from the version of AsusWRT, it is possible to:

CVE-2017-15655 : in firmware version * And older, remote execution of unauthorized code with administrator privileges, when the logged user opens several subpages of the web-application for managing the router in the browser. An attacker knowing the public IP address of the network (login to the router configuration must be enabled from the outside) may send a request to download a file from the router storing login and password with open text in the NVRAM in the " .CSS " file (see last CVE-2017-15656):

$ curl 'http: // routerIP: 8080' -H 'Host: xxxxxxxxxxxxxx $ (for i in $ (seq 1 9700); do echo -n ""; done) \ $ (nvram show> / www / user / nvram .css) " 

Regarding this vulnerability, the manufacturer refused to susceptibility to older models (eg RT-N65R, RT-N65U), which were simply killed (the product lifecycle was completed).

CVE-2017-15654 : updated and resistant to attack is firmware Otherwise, the vulnerability gives the attacker the ability to guess the identifier of the authenticated user's session token.

What can you do about it? [...]

CVE-2017-15653 : [...] take full control of the router . Vulnerability refers to insufficient verification of the IP address of the user logging in to the router's admin panel. Here, an attacker to perform any action needs a session token ID from the above vulnerability. If he manages to obtain it, the ASUS software will not check the IP address of the person logging in - the attacker bypasses the verification mechanism.

In the published PoC (proof of concept), the attacker downloads the current configuration of the router, even if the request to export settings is sent from a different IP address than the logged-in user:

curl "http: //ROUTERADDRESS/s.CFG" -H "Cookie: asus_token = TOKEN" -H 'User-Agent: asusrouter-asusrouter-asusrouter-asusrouter' 

CVE-2017-15656 : all ASUS routers store passwords in the form of unencrypted text in NVRAM. With the ability to execute remote code, you can run the " nvram show " command (or download and decode the backup file settings) and read the administrator password.

The author of the reported vulnerabilities states:

The combination of all vulnerabilities makes it easy to get access to the router: just wait for the administrator to log in and download the login / password using the token. Finally, you can download the backup file and read the administrator's login and password from the " .CSS " file.

We recommend updating the ASUS routers software as soon as possible. The manufacturer gives detailed instructions .

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.