what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ASUS RT-N66U Hidden Share

ASUS RT-N66U Hidden Share
Posted Mar 12, 2013
Authored by Sec

The ASUS RT-N66U suffers from a hidden root$ Samba share and a MiniUPnP listening on the WAN interface. It also has an out of date kernel and multiple old libraries in use.

tags | advisory, kernel, root
SHA-256 | 1612183344436e02a4e558842cc13f4e0957fe902f9f0cbc29c1e64699d5cab2

ASUS RT-N66U Hidden Share

Change Mirror Download
Vulnerable product: ASUS RT-N66U
Vulnerabilities:
- Linux 2.6.22.19
- Old libraries and executables
Interesting vulnerabilities:
- "Hidden" root$ Samba share
- MiniUPnP confirmed listening on "WAN" interface
Workarounds:
- None official, may be able to fix things via telnet (undocumented)

All research performed on latest f/w ("3.0.0.4.270").

Contact timeline:
- 2013-02-19: Initial attempt to contact ASUS support.
- 2013-02-20:
+ "Escalated" support request acting on instructions from ASUS
support.
+ Was asked to stop contacting ASUS.
+ Reiterated concerns about vulnerabilities, requested escalation to
product engineers.
- 2013-02-2x: Misdirection, purposeful misunderstanding, handwaving,
denial from ASUS.
- 2013-02-27: Last-ditch effort to get ASUS to escalate or take
vulnerabilities seriously.
- 2013-03-12: Release to full-disclosure

Disclaimer: I was on a short timeline (product return to vendor window),
and didn't have a lot of time to analyze my results. And, of course, I
couldn't get any kind of support or confirmation of what I was seeing
from ASUS. Someone--who doesn't work for ASUS--with more time should
probably review my findings.

- The old kernel definitely seems to be unpatched. Any remote or local
vulnerabilities discovered in Linux post 2.6.22.19 almost certainly
apply unless they're platform-specific (i386/amd64 rather than MIPS32).
- None of the libs or executables appear to be patched. Major parts like
Samba appear three times in the source tarball, so trying to guess what
versions are running is definitely an exercise for someone with more
time. Safe to assume lots of unpatched vulns, I think.

More interestingly --

- There's a Samba "root$" share being exported, I think by default. Like
most things, the Samba definitions are stored in "nvram" (actually a
flash partition) rather than *.conf, so it's hard to be sure of the
exact permissions. I would assume the worst, especially given it's
explicitly referred to as "hidden". ASUS refused to discuss this with
me, or so I infer from their complete silence on the topic.

- Startlingly, MiniUPnP is actually the most recent version, but it's
listening on the "WAN" interface by default. I handed ASUS multiple
references to the recent reports of commodity routers with UPnP
listening on external interfaces. They took both a "definitely not
vulnerable" and "neither confirm nor deny" stance, depending which day
they were replying to me. I'm not sure which one takes priority over the
other. Once again assuming the worst.

Worth further investigation --

- The ASUS routers run a lot of in-house software that's probably not a
lot more secure than the rest of the device. See: wanduck (no idea),
networkmap (actively probes localhost, can't be disabled), u2ec
(something to do with USB printer sharing, can't be disabled).

- At least in "AP Mode", which is what I bought it for, I couldn't
change the WPS PIN from the factory default. Would anyone like to test
whether it's generated by MAC address?

- Despite having made the telnet-accessible environment as stupid and
useless as possible, it's at least possible to change settings via the
"nvram" util. May be possible to change the WPS PIN this way (it's in
there) along with a lot of the other insecure behavior.


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close