lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKAWO_VAWbxSRVb8FmYzL9W76b6HRk+sWUrRC5u5DAVGGLErPA@mail.gmail.com>
Date: Wed, 16 Apr 2014 10:06:49 -0500
From: David Longenecker <dnlongen@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] ASUS RT-XXXX SOHO routers expose admin password,
	fixed in 3.0.0.4.374.5517

http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html


In mid February, I wrote that a substantial portion of ASUS wireless
routers would fail to update their firmware. In fact, the "check for
update" function would inform the administrator that the router was fully
up-to-date, even though it was not. ASUS was very quick to fix this. In
analyzing that issue though, I saw some things that looked like potential
avenues of exploit.


The Web GUI for the ASUS RT- series of routers exposes the administrator
username and password in clear text. This is true for
the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R,
RT-N66U, RT-N56R, RT-N56U models. I have not tested but suspect the same is
true of RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same
firmware base but a different sub-version. This is CVE-2014-2719.


If the administrator is logged in, an attacker can browse to
<router_address>/Advanced_System_Content.asp and obtain the username and
password.  Another researcher demonstrated a way to access the router
via embedded images in an email message 18 months ago; that combined with
this would gain an attacker easy administrative access.


Compounding the problem, the admin login does not have a session timeout.
Thus, if the administrator logged in (such as when first configuring the
router, or subsequently installing an update) and does
not intentionally logout, the session remains live and can be exploited as
described above, even if the administrator no longer has a window open on
the router.


Firmware 3.0.0.4.374.5517 fixes both of these issues. The new code no
longer shows the current password to users, and there is a new option to
automatically logout after a set period of time. By default, the router
will now log the administrator account out after 30 minutes; you can set
this anywhere from 10 minutes to 999 minutes, or disable the feature if you
prefer to stay logged in indefinitely.

-- 
Regards,
David Longenecker

Connect: Security Blog <http://dnlongen.blogspot.com> | Security
Twitter<https://www.twitter.com/dnlongen> |
Awana Twitter <https://www.twitter.com/dstx_awana> |
LinkedIn<https://www.linkedin.com/in/dnlongen/>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ