Root command execution bug found across wireless router range
Fri 9 Jan 2015
A currently unpatched bug in ASUS wireless routers has been discovered whereby users inside a network can gain full administrative control, according to recent research conducted by security firm Accuvant.
Although the flaw does not allow access to external hackers, anyone within the network can take administrative control and reroute users to malicious websites, as well as holding the ability to install malicious software.
“I trust people that join my network to some degree, but I don’t want them to be able to reconfigure the router,” said Joshua Drake, research director at Accuvant. “I can’t prevent them without this getting fixed.”
The vulnerability that Drake outlines rises from a poorly coded service, infosvr, which is used by ASUS to facilitate router configuration by automatically monitoring the local area network (LAN) and identifying other connected routers. Infosvr, Drake explains, runs with root privileges and contains an unauthenticated command execution vulnerability. In turn this permits anyone connected to the LAN to gain control by sending a user datagram protocol (UDP) package to the router.
“The block starts off by excluding a couple of OpCode values, which presumably do not require authentication by design. Then, it calls the memcpy and suspiciously checks the return value against zero. This is highly indicative that the author intended to use memcmp instead. That said, even if this check was implemented properly, knowing the device’s MAC address is hardly sufficient authentication,” said Drake.
Drake wrote that all of ASUS’ known firmware versions for applicable routers (RT-AC66U, RT-N66U, etc.) are susceptible to the bug listed as CVE-2014-9583. Testing was performed against 3.0.0.376.2524-g0013f52.
Less technically-minded individuals can only hope for a patch release from ASUS. For technical users, the flaw itself can be used to turn infosvr off after each reboot using the following command:
$ ./asus-cmd “killall -9 infosvr”
[…]
Again, despite not allowing access to external parties this issue poses high risk for those who use their ASUS routers to setup hotspots and other public Wi-Fi networks.
