exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ASUS Router Administrative Interface Exposure

ASUS Router Administrative Interface Exposure
Posted Feb 11, 2016
Authored by David Longenecker

ASUS wireless routers running ASUSWRT firmware have a design flaw in which the administrator web interface may be open to the public Internet even if you have specifically disabled web access from the WAN.

tags | advisory, web
SHA-256 | acefe4f7da5e0a9ebebc7265a613a32f86d3d8d789508910725b215e88ef92d7

ASUS Router Administrative Interface Exposure

Change Mirror Download
Asus wireless routers running ASUSWRT firmware (in other words, anything
with an RT- in the model name) have a design flaw in which the
administrator web interface may be open to the public Internet even if you
have specifically disabled web access from the WAN.

Specifically, these routers have two separate controls that affect access
to the router web interface, and no warning that one can override the
other. In order to block public access to your router, both of the
following must be set:

Enable Web Access from WAN: No
Enable Firewall: Yes

If Enable Firewall is set to No, that will override WAN access setting,
with no warning, enabling anyone that knows your IP address to access your
router's administrative interface from anywhere in the world. The attacker
would still have to figure out your password, but this simple design error
makes it all to easy to think you have secured your router, and yet still
be vulnerable.

Looking over Shodan for other devices with banners consistent with Asus
routers, I see around 122,000 routers with a publicly-reachable HTTP
service.

I also find another 15,000 with a publicly accessible HTTPS service -
meaning the owner knew enough to restrict administrative access to an
secured login. I would expect most administrators that took the time to
restrict access to HTTPS, also took the time to restrict such access to
only local devices. In other words, 15,000 people made an effort to
secure their routers, and yet could still be pwned from an Internet
attacker.

This is true as of the most recent firmware available, version
3.0.0.378.9460 dated December 29, 2015. I have tested a beta firmware
release that fixes this situation, and expect it will be publicly released
shortly. In the meantime, both "Enable Web Access from WAN" and "Enable
Firewall" must be set properly in order to block public access to the web
UI.

Details, along with an export of the relevant iptables rules set by the
various settings, are at
http://www.securityforrealpeople.com/2016/02/poor-ux-leads-to-poorly-secured-soho.html


Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close