Note: In June I released a partial disclosure for just the RT-N66U on the issue of directory traversal. I have only heard back from ASUS a twice on the issue, and I understand they are working on a fix. However, no serious attempt to our knowledge has been made to warn their customers in the meantime, even after multiple requests from several different security professionals.
Nor has ASUS posted a disclosure of these serious issues to new potential customers on their AiCloud web adverts, since they still advertise the product as an add-on with these routers, as a safe and bug free home cloud solution.
Linux 2.6.xx kernel All firmware versions known
Vulnerable Asus Models
RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router RT-N66R Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch RT-N66U Dual-Band Wireless-N900 Gigabit Router RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router RT-N56R Dual-Band Wireless-AC1200 Gigabit Router RT-N56U Dual-Band Wireless-AC1200 Gigabit Router RT-N14U Wireless-N300 Cloud Router RT-N16 Wireless-N300 Gigabit Router RT-N16R Wireless-N300 Gigabit Router
Vulnerabilities - Due in large part to an exposed $root share on the NVRAM for Samba service, which was discovered in March of this year by another researcher, on almost all of the above models that have enabled AiCloud service, the end users will find themselves exposed to multiple methods of attack and several dangerous remote exploits.
Since authentication can be simply bypassed on the those units running HTTPS WebDav via directory traversal, access to all files which control services on either side of the router are wide open to remote manipulation. All pem and key files are also openly available.
Credentials- Almost all models will disclose a clear text creational file, making any MD5 hashing on the /etc/shadow file meaningless. This file below remains easily accessible, and has no encryption. It may vary a bit in where it sits on a small percentage of routers configured a certain way.
(The -L and -v switches are optional)
curl -v https://<IP>/smb/tmp/$dir/lighttpd/permissions -k -L or curl -v https://<IP>/smb/tmp/lighttpd/permissions -k -L
PPTP Tunnel- VPN service can be enabled, configured and connected by altering a five small files on any of the four models of the RT66 series routers. Everything needed to achieve this can be found in the directory at /smb/tmp/$dir/pptpd, and the pptpctrl file as well as pptpd service are in the /sbin dir.
Local executable or modifiable scripts- The files needed to create a Dropbear ssh service can be found at /smb/tmp/etc/dropbear/ with its pid sitting in /var. In /smb/tmp/bin and /smb/tmp/sbin sit well over a dozen executables such as netcat, ftpget, logger, wol, tr and sendmail. Several services, two of which being /smb/sbin/vsftpd and /smb/sbin/telnetd can be configured or altered there too. Other shell scripts, not native to the routers, can be uploaded and used in an attack with little difficulty.
On the RT-N16 and N16R, once the https credentials are entered, an attacker can easily move to the admin console on the LAN side by changing the path to /index.asp. While the list of tools available to an attacker might seem endless, there is no doubt that once the AiCloud service is enabled, it would take just one person a few minutes to completely control of all traffic coming in and out of the LAN, gain access to all LAN side resources by a VPN or through another service, and could choose to sniff packets, do a hard DoS or launch attacks on other systems.
Mitigation and Workarounds- Disable all UPnP services Disable any and all of the three AiCloud items which will open the vulnerability Remove any remote access to the router for administration until a patch is ready Change the default username and password If the AiCloud service is used, it would be advisable to change that password if it was the same one used or the router