lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKAWO_Wdjq7XsAWmJZe1xggwMjU0ySqhqtZy6pJG1jnG6C14pA@mail.gmail.com>
Date: Tue, 28 Oct 2014 11:29:48 -0500
From: David Longenecker <dnlongen@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2014-2718: ASUS wireless router updates are vulnerable to
	a MITM attack

The ASUS RT- series of wireless routers rely on an easily manipulated
process to determine if a firmware update is available, and to retrieve the
necessary update binary. In short, the router downloads via clear-text a
file from http://dlcdnet.asus.com, parses it to determine the latest
firmware version, then downloads (again in the clear) a binary file
matching that version number from the same web site. No HTTP = no assurance
that the site on the other end is the legitimate ASUS web site, and no
assurance that the firmware file and version lookup table have not been
modified in transit.

In the link below I describe the issue in detail, and demonstrate a proof
of concept through which I successfully caused an RT-AC66R to "upgrade" to
an older firmware with known vulnerabilities. In concept it should also be
possible to deliver a fully custom malicious firmware in the same manner.

This applies to the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R,
RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U. It may also apply to the
RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same firmware base
but a different sub-version.

This has been fixed as an undocumented feature of the 376 firmware branch
(3.0.0.4.376.x).

Details and POC:
http://dnlongen.blogspot.com/2014/10/CVE-2014-2718-Asus-RT-MITM.html

-- 
Regards,
David Longenecker
@dnlongen

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ