exploit the possibilities

ASUS Router Administrative Interface Exposure

ASUS Router Administrative Interface Exposure
Posted Feb 11, 2016
Authored by David Longenecker

ASUS wireless routers running ASUSWRT firmware have a design flaw in which the administrator web interface may be open to the public Internet even if you have specifically disabled web access from the WAN.

tags | advisory, web
MD5 | 00e62587a24303e07531652cea981350

ASUS Router Administrative Interface Exposure

Change Mirror Download
Asus wireless routers running ASUSWRT firmware (in other words, anything
with an RT- in the model name) have a design flaw in which the
administrator web interface may be open to the public Internet even if you
have specifically disabled web access from the WAN.

Specifically, these routers have two separate controls that affect access
to the router web interface, and no warning that one can override the
other. In order to block public access to your router, both of the
following must be set:

Enable Web Access from WAN: No
Enable Firewall: Yes

If Enable Firewall is set to No, that will override WAN access setting,
with no warning, enabling anyone that knows your IP address to access your
router's administrative interface from anywhere in the world. The attacker
would still have to figure out your password, but this simple design error
makes it all to easy to think you have secured your router, and yet still
be vulnerable.

Looking over Shodan for other devices with banners consistent with Asus
routers, I see around 122,000 routers with a publicly-reachable HTTP
service.

I also find another 15,000 with a publicly accessible HTTPS service -
meaning the owner knew enough to restrict administrative access to an
secured login. I would expect most administrators that took the time to
restrict access to HTTPS, also took the time to restrict such access to
only local devices. In other words, 15,000 people made an effort to
secure their routers, and yet could still be pwned from an Internet
attacker.

This is true as of the most recent firmware available, version
3.0.0.378.9460 dated December 29, 2015. I have tested a beta firmware
release that fixes this situation, and expect it will be publicly released
shortly. In the meantime, both "Enable Web Access from WAN" and "Enable
Firewall" must be set properly in order to block public access to the web
UI.

Details, along with an export of the relevant iptables rules set by the
various settings, are at
http://www.securityforrealpeople.com/2016/02/poor-ux-leads-to-poorly-secured-soho.html


Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen


Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    5 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close