I recently bought a new home router, Asus RT-N56U. It is a consumer level basic wireless router with some “advanced” features, such as file sharing and print server. Actually I am pretty happy with the features of the router. Security is the problem. Or lack of security, to be more precise.
The following article analyses security of Asus RT-N56U. All findings/vulnerabilities listed here work with firmware version 22.214.171.124.374_979.
Asus RT-N56U provides a web interface and shell access to the router. Shell access is disabled by default, while the web interface is listening at port 80. There is no secure way to access the router, only Telnet and plain HTTP. By default, the router is listening at IP address 192.168.1.1 and default username and password are admin/admin.
Okay, it is quite unlikely that someone is able to hijack the connection if the admin is directly cable-connected to the router. But still, why on the earth would someone prefer Telnet over SSH in 2010’s? Performance can not be an excuse, router CPU should be easily able to handle a single SSH connection.
Web administration interface is the most critical part here, containing multiple vulnerabilities. Web interface is implemented with HTML/JS on client side and ASP on server side. HTTP Auth is used for authentication.
Web interface is vulnerable for CSRF attacks and remote command execution (buffer overflow), which can be also triggered with a forged request. Further details are available at securityevaluators.com.
Moreover, changing the admin password or exposing Telnet/HTTP management interface to public network does not require previous (current) password which makes this vulnerability even worse.
Also, since authenticating is implemented with HTTP Auth, it could be possible to implement CSRF even though the victim was not logged on to the management interface:
I’m pretty sure that there are a lots of the routers with unchanged admin password.
It turns out that the router with default firmware is running Linux version 2.6.22. It has five network interfaces including loopback device. WAN seems to be eth3.
File sharing is implemented with Samba version 3.0.37. This version of Samba was released on October 2009 and series 3.0.x is not under maintenance any longer [wiki.samba.org].
admin@RT-N56U:/tmp/home/root# uname -a Linux RT-N56U 2.6.2219 #1 Thu Oct 3 12:56:39 CST 2013 mips GNU/Linux admin@RT-N56U:/tmp/home/root# smbd --version Version 3.0.37
Admin password is saved as plain text at /tmp/http_info.
On public network all ports are filtered, if no services are enabled and exposed to public Internet.
On internal network, TCP SYN scan with Nmap provides following output (apart to default configuration, I’ve enabled Telnet here, but disabled UPnP).
Starting Nmap 6.40 ( http://nmap.org ) at .. Nmap scan report for router.asus.com (192.168.1.1) Host is up (0.0021s latency). Not shown: 65524 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 3394/tcp open unknown 3838/tcp open unknown 5473/tcp open unknown 9100/tcp open jetdirect 9998/tcp open distinct32 18017/tcp open unknown MAC Address: XX:XX:XX:XX:XX:XX (Unknown) Device type: WAP Running: Asus Linux 2.6.X OS CPE: cpe:/h:asus:rt-n16 cpe:/o:asus:linux_kernel:2.6 OS details: Asus RT-N16 WAP (Linux 2.6) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.30 seconds
Okay, I’m just wondering what I need these all for, and why are they open by default?
In practice, after successful attack, the attacker can take over your router and sniff all your network traffic.
Successful attack requires that:
- Victim is logged in to the web management interface
- Using same computer and web browser, victim opens a malicious web page (for instance, clicks a phishing link sent in email) that triggers a forged request.
- Victim has not changed the default password
- Victim opens a malicious web page, that forges the login request with default password, and after that pwns the router.
Also, since there are multiple deprecated/not up-to-date service daemons running on the router and exposed to LAN, it is important that only trusted devices are connected to the network.
Assuming that the router does not have any other critical vulnerabilities or backdoors, it still can be rather safe to use. However, here are a couple of important things to remember:
- Change the default password.
- You may also change the default IP address/subnet. I do not usually believe in security by obscurity, but it is not harmful either.
- When you are managing the device via web interface, always log out and never browse the web at same time. If you’re paranoid, use only dedicated browser/virtual machine for managing the device, and always empty the browser cache.
- If you are really paranoid, only manage the device with a cable connected computer while all the rest computers are disconnected from it.
- Disable all services/features on the router, that you do not need.
- Do not let untrusted devices to connect your network.