Asus RT-N56U router security

4 minute read
January 28, 2014

I recently bought a new home router, Asus RT-N56U. It is a consumer level basic wireless router with some “advanced” features, such as file sharing and print server. Actually I am pretty happy with the features of the router. Security is the problem. Or lack of security, to be more precise.

The following article analyses security of Asus RT-N56U. All findings/vulnerabilities listed here work with firmware version 3.0.0.4.374_979.

Admin interfaces

Asus RT-N56U provides a web interface and shell access to the router. Shell access is disabled by default, while the web interface is listening at port 80. There is no secure way to access the router, only Telnet and plain HTTP. By default, the router is listening at IP address 192.168.1.1 and default username and password are admin/admin.

Okay, it is quite unlikely that someone is able to hijack the connection if the admin is directly cable-connected to the router. But still, why on the earth would someone prefer Telnet over SSH in 2010’s? Performance can not be an excuse, router CPU should be easily able to handle a single SSH connection.

Web interface

Web administration interface is the most critical part here, containing multiple vulnerabilities. Web interface is implemented with HTML/JS on client side and ASP on server side. HTTP Auth is used for authentication.

Web interface is vulnerable for CSRF attacks and remote command execution (buffer overflow), which can be also triggered with a forged request. Further details are available at securityevaluators.com.

Moreover, changing the admin password or exposing Telnet/HTTP management interface to public network does not require previous (current) password which makes this vulnerability even worse.

Also, since authenticating is implemented with HTTP Auth, it could be possible to implement CSRF even though the victim was not logged on to the management interface:

http://admin:admin@192.168.1.1/do_something_nasty.asp?....

I’m pretty sure that there are a lots of the routers with unchanged admin password.

OS internals

It turns out that the router with default firmware is running Linux version 2.6.22. It has five network interfaces including loopback device. WAN seems to be eth3.

File sharing is implemented with Samba version 3.0.37. This version of Samba was released on October 2009 and series 3.0.x is not under maintenance any longer [wiki.samba.org].

admin@RT-N56U:/tmp/home/root# uname -a
Linux RT-N56U 2.6.2219 #1 Thu Oct 3 12:56:39 CST 2013 mips GNU/Linux
admin@RT-N56U:/tmp/home/root# smbd --version
Version 3.0.37

Admin password is saved as plain text at /tmp/http_info.

Port scanning

On public network all ports are filtered, if no services are enabled and exposed to public Internet.

On internal network, TCP SYN scan with Nmap provides following output (apart to default configuration, I’ve enabled Telnet here, but disabled UPnP).

Starting Nmap 6.40 ( http://nmap.org ) at ..
Nmap scan report for router.asus.com (192.168.1.1)
Host is up (0.0021s latency).
Not shown: 65524 closed ports
PORT      STATE SERVICE
23/tcp    open  telnet
53/tcp    open  domain
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
515/tcp   open  printer
3394/tcp  open  unknown
3838/tcp  open  unknown
5473/tcp  open  unknown
9100/tcp  open  jetdirect
9998/tcp  open  distinct32
18017/tcp open  unknown
MAC Address: XX:XX:XX:XX:XX:XX (Unknown)
Device type: WAP
Running: Asus Linux 2.6.X
OS CPE: cpe:/h:asus:rt-n16 cpe:/o:asus:linux_kernel:2.6
OS details: Asus RT-N16 WAP (Linux 2.6)
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.30 seconds

Okay, I’m just wondering what I need these all for, and why are they open by default?

Summary

In practice, after successful attack, the attacker can take over your router and sniff all your network traffic.

Successful attack requires that:

  • Victim is logged in to the web management interface
  • Using same computer and web browser, victim opens a malicious web page (for instance, clicks a phishing link sent in email) that triggers a forged request.

Or alternatively:

  • Victim has not changed the default password
  • Victim opens a malicious web page, that forges the login request with default password, and after that pwns the router.

Also, since there are multiple deprecated/not up-to-date service daemons running on the router and exposed to LAN, it is important that only trusted devices are connected to the network.

Mitigations

Assuming that the router does not have any other critical vulnerabilities or backdoors, it still can be rather safe to use. However, here are a couple of important things to remember:

  • Change the default password.
  • You may also change the default IP address/subnet. I do not usually believe in security by obscurity, but it is not harmful either.
  • When you are managing the device via web interface, always log out and never browse the web at same time. If you’re paranoid, use only dedicated browser/virtual machine for managing the device, and always empty the browser cache.
  • If you are really paranoid, only manage the device with a cable connected computer while all the rest computers are disconnected from it.
  • Disable all services/features on the router, that you do not need.
  • Do not let untrusted devices to connect your network.

Leave a Comment