

Remote code execution in Asus router firmware - martinp
https://github.com/jduck/asus-cmd

======
aric
Warning to users of Asus firmware:

In the Administration > Firmware Upgrade tab, never rely on their [Check]
version button. It's consistently inaccurate. It's a long-known (and serious)
flaw that's been like this since day one of these products and still to this
day. It'll happily report, _" The router's current firmware is the latest
version."_, even if it's months behind in vulnerability fixes. Go to Asus'
site for the latest firmware then use the upload option to upgrade. Or,
probably better yet, don't use their firmware.

~~~
gcb0
note to anyone not using openwrt:

you should be using openwrt :)

~~~
Alphasite_
AsusWRT is pretty great on its own, apart from this bug, and its kept
uptodate.

------
yc1010
Asus released updated firmware it seems, that was quick!

[http://www.asus.com/ie/Networking/RTAC66U/HelpDesk_Download/](http://www.asus.com/ie/Networking/RTAC66U/HelpDesk_Download/)

~~~
uniformlyrandom
No update for N56U yet.

>2014/11/21

Well, killing a process is the easiest workaround for now, and it should work
until we get a patch.

------
etcet
Worst case is that all publicly accessible routers were rooted en-masse within
an hour of this announcement. My solution is an offline factory reset and
firmware update.

Is there any risk of persistent root on these devices?

~~~
dtech
This issue is nowhere near this serious, it's only exploitable from within the
LAN.
([http://forums.smallnetbuilder.com/showthread.php?t=21774](http://forums.smallnetbuilder.com/showthread.php?t=21774))

~~~
uniformlyrandom
In the days of javascript, this is not such a big roadblock.
[https://developer.chrome.com/apps/app_network](https://developer.chrome.com/apps/app_network)

------
tux
Been using >
[https://code.google.com/p/rt-n56u/](https://code.google.com/p/rt-n56u/) on
Asus RT-N56U for more then a year now. No issues at all. This firmware is
maintained by "Andy Padavan" Changelog here >
[http://rt-n56u.googlecode.com/git/changes.eng.txt](http://rt-n56u.googlecode.com/git/changes.eng.txt)
Latest update was yesterday. You can use Entware package manager to install
any of this packages here >
[http://entware.wl500g.info/binaries/entware/Packages.html](http://entware.wl500g.info/binaries/entware/Packages.html)

------
whatthehack2
Question- Lets say you patched this 'too late' \- Would doing a hard reset of
the router by holding the reset button of the router actually remove any
backdoors/exploits? Or is it the case if someone gets root that backdoor will
be persistent forever and your only hope is to get a new router? My
understanding is that the factory reset only resets the configuration options
and does not physically reimage the OS.

~~~
simcop2387
reuploading the firmware should also work, it usually just reimages the system
partition. if you don't know if you trust that you can also go to dd-wrt,
openwrt or tomato and once you see that running you know the system partition
has been reimaged and should be fine.

~~~
whatthehack2
So simply upgrading the firmware now will remove any existing roots or
backdoors?

~~~
lunixbochs
To a point. It's possible to persist a backdoor on these routers beyond a
firmware upgrade. If you think you're a big enough target for someone to
actually install a backdoor like this on your systems, I'd be happy to take a
look.

------
rdtsc
There is also a project that provides an open firmware for some of the
vulnerable Asus routers:

[https://code.google.com/p/rt-n56u/](https://code.google.com/p/rt-n56u/)

It seems to be active. I've been thinking of switching to it from a stock
rt-n56u. Anyone have any experience using this firmware?

~~~
mscrivo
Why not use a good Tomato build? This is my favourite at the moment and gets
updated quite frequently:

[http://tomato.groov.pl/](http://tomato.groov.pl/)

~~~
rdtsc
Saw that one, but my router was not in the list of supported ones.

~~~
mscrivo
my apologies, I misread RT-N56U for RT-AC56U.

------
dev314159
Is this vulnerable from the LAN-side only or from the WAN side?

~~~
Aloisius
LAN-side only according to the Asuswrt-Merlin people:
[http://forums.smallnetbuilder.com/showthread.php?t=21774](http://forums.smallnetbuilder.com/showthread.php?t=21774)

------
lazyjones
In case it wasn't obvious: yet another case of shooting yourself in the foot
with your amazing C skills... Will people ever learn to avoid this, since
99,9% of all C programmers simply aren't good or meticulous enough to write
network-facing code in a safe manner?

~~~
ithinkso
What's the alternative?

------
orbitingpluto
An easy hack for disabling many of these additional "features" is just to
overload the port by forwarding it to a non-used IP:port.

This is only really useful for the Internet side of things for standard
manufacturer's firmware or if you're using WRT.

For new routers, this is standard practice for me until a WRT option becomes
available. Sometimes you can't, I remember not being able to overload
something on a Linksys EA6500.

------
fubarred
NSA diode candiate, unfortunately :(

For edge devices, it's a criminal that high security standards are not more
pervasive. Though given the nature of retail products, it's not a big surprise
even though it is still disappointing. (How many of these boxes even work for
longer than 5 minutes without spontaneously rebooting (crashing) or having a
xfer rate within an order of magnitude of the channel bandwidth?)

PS: If there were a minimal OpenBSD/(x86|arm) based pfSense-alike project that
could be easily themed, minified and plugin-ed, that would rock... and
potentially dramatically reduce the attack surface by reducing the duplication
of awful embedded web app implementations. (Yes, there are DDWRT and other
Linux embedded network gear projects and pfSense (which is great)... OpenBSD
for fewer lines of code.) It seems like what might happen going forward
because the existing vendor stacks are often terrible and likely expensive for
them to maintain. (Kickstarter for hw+sw or enterprise "crowd"-funded
perhaps.)

Folks requesting pfSense ARM support:
[https://forum.pfsense.org/index.php?topic=34707.0](https://forum.pfsense.org/index.php?topic=34707.0)

