| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Apr 2014 10:06:49 -0500 From: David Longenecker <dnlongen@...il.com> To: fulldisclosure@...lists.org Subject: [FD] ASUS RT-XXXX SOHO routers expose admin password, fixed in 3.0.0.4.374.5517 http://dnlongen.blogspot.com/2014/04/CVE-2014-2719-Asus-RT-Password-Disclosure.html In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. ASUS was very quick to fix this. In analyzing that issue though, I saw some things that looked like potential avenues of exploit. The Web GUI for the ASUS RT- series of routers exposes the administrator username and password in clear text. This is true for the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U models. I have not tested but suspect the same is true of RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same firmware base but a different sub-version. This is CVE-2014-2719. If the administrator is logged in, an attacker can browse to <router_address>/Advanced_System_Content.asp and obtain the username and password. Another researcher demonstrated a way to access the router via embedded images in an email message 18 months ago; that combined with this would gain an attacker easy administrative access. Compounding the problem, the admin login does not have a session timeout. Thus, if the administrator logged in (such as when first configuring the router, or subsequently installing an update) and does not intentionally logout, the session remains live and can be exploited as described above, even if the administrator no longer has a window open on the router. Firmware 3.0.0.4.374.5517 fixes both of these issues. The new code no longer shows the current password to users, and there is a new option to automatically logout after a set period of time. By default, the router will now log the administrator account out after 30 minutes; you can set this anywhere from 10 minutes to 999 minutes, or disable the feature if you prefer to stay logged in indefinitely. -- Regards, David Longenecker Connect: Security Blog <http://dnlongen.blogspot.com> | Security Twitter<https://www.twitter.com/dnlongen> | Awana Twitter <https://www.twitter.com/dstx_awana> | LinkedIn<https://www.linkedin.com/in/dnlongen/> _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists