ASUS routers Remote FTP login Authentication Bypass Vulnerability

2014-03-29T00:00:00
ID 1337DAY-ID-22085
Type zdt
Reporter santhoshkumar22
Modified 2014-03-29T00:00:00

Description

============ Device Description: ============ Best For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media Features: * Fast Wireless-N connectivity frees you to do more around your home * Easy to set up and use, industrial-strength security protection * Great for larger homes with many users Router-to-Router sync enables you to sync folders on storage devices connected to two AiCloud-compatible routers. This last feature is very similar to what Connected Data’s Transporter offers, though it’s not quite as easy to set up. The RT-N15U has all the other checklist features I’ve come to expect in a high-end router, including FTP and SAMBA file servers, and UPnP, DLNA, and iTunes media servers.#### Usage Info Asus range of routers suffer from common bug which allows to anonymous FTP service which is running there by default.Which when enabled with passive mode transfer can access the hard drive which is connected to the router. Greetz : anamika, cRushii , side ^effect , exPloiter and all the cool dudes out there :) ****CONTACT US**** mail:[email protected] twitter:@security_b0x *************

                                        
                                            # Exploit Title: asus router FTP Auth bypass 
 # Google Dork: N/A
 # Date: 28-03-2014
 # Exploit Author: Santhosh Kumar
 # Vendor Homepage: http://www.asus.com
 # Software Link: http://www.asus.com/Networking/RTN56U
 # Version: All versions 
 # Tested on: windows 8.1,windows 7 , ubuntu , debian

FTP service on the asus router allows anonymous when executed on passive mode it can  allow viewing of the external hard drive connected to the device.

************************SHODAN SEARCH*********************************
ASUS RT-N10U or RT-N10U   -- Returned 14173 for RT-N10U
ASUS RT-N56U or RT-N56U  -- Returned 18501 for ASUS RT-N56U
ASUS DSL-N55U               ----  Returned  20286 for ASUS DSL-N55U
ASUS RT-AC66U              -----  32721 for RT-AC66U
ASUS RT-N15U               ------ 4865 for RT-N15U
ASUS RT-N53                  ------  5600 for RT-N53 (many false positives)

***********************************************************************

usage

ftp <vulnerable ip>

Login : anonymous
password:[email protected]


i have taken a Swedish ISP router for POC 

IP ADDRESS 
POC 1 :  http://i.imgur.com/hsOdcjI.jpg

Screenshot of the Login:

Poc2 : http://i.imgur.com/FHPNJC2.jpg

Uploading of the test file directly to the hard drive

poc3:http://i.imgur.com/9n9wosu.jpg

*********************************************************************

Possible Fix 

DIsable the FTP option till the vendor assures patch on the firmware or Disable Anonymous login.

#  0day.today [2018-01-04]  #