lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKAWO_Wx3iBDATLPOpmr8os5U9orZuU7PQsoNT=J5UwjtpzPvA@mail.gmail.com>
Date: Sun, 7 Feb 2016 21:41:43 -0600
From: David Longenecker <david@...urityforrealpeople.com>
To: fulldisclosure@...lists.org
Subject: [FD] Poor UX in Asus routers can leave the web UI unintentionally
 exposed to the Internet

Asus wireless routers running ASUSWRT firmware (in other words, anything
with an RT- in the model name) have a design flaw in which the
administrator web interface may be open to the public Internet even if you
have specifically disabled web access from the WAN.

Specifically, these routers have two separate controls that affect access
to the router web interface, and no warning that one can override the
other. In order to block public access to your router, both of the
following must be set:

Enable Web Access from WAN: No
Enable Firewall: Yes

If Enable Firewall is set to No, that will override WAN access setting,
with no warning, enabling anyone that knows your IP address to access your
router's administrative interface from anywhere in the world. The attacker
would still have to figure out your password, but this simple design error
makes it all to easy to think you have secured your router, and yet still
be vulnerable.

Looking over Shodan for other devices with banners consistent with Asus
routers, I see around 122,000 routers with a publicly-reachable HTTP
service.

I also find another 15,000 with a publicly accessible HTTPS service -
meaning the owner knew enough to restrict administrative access to an
secured login. I would expect most administrators that took the time to
restrict access to HTTPS, also took the time to restrict such access to
only local devices. In other words, 15,000 people made an effort to
secure their routers, and yet could still be pwned from an Internet
attacker.

This is true as of the most recent firmware available, version
3.0.0.378.9460 dated December 29, 2015. I have tested a beta firmware
release that fixes this situation, and expect it will be publicly released
shortly. In the meantime, both "Enable Web Access from WAN" and "Enable
Firewall" must be set properly in order to block public access to the web
UI.

Details, along with an export of the relevant iptables rules set by the
various settings, are at
http://www.securityforrealpeople.com/2016/02/poor-ux-leads-to-poorly-secured-soho.html


Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ