14 DAY TRIAL // A service running on ASUS routers with root privileges can be exploited for unauthenticated command execution by an attacker in the network, giving access to the configuration of the device.
What is worse, code for taking advantage of the security flaw already exists and ASUS has yet to release an updated firmware containing the fix.
Attacker can re-configure the router
Researcher Joshua Drake found the glitch a few months back while working on an ASUS RT-N66U router model. He discovered that the service “infosvr” listens on UDP port 9999 in LAN (local area network) can be used by an unauthenticated attacker to execute commands.
The service is used in the ASUS routers to facilitate configuration of the device when other routers are available in the network (repeaters, access points, media bridges) and need to be discovered.
Unauthorized access to the administration panel has serious implications for the users in the network since settings can be altered in such a way that they are redirected to malicious websites to download malware, leading to compromising the computer.
According to Drake, “all known firmware versions for applicable routers (RT-AC66U, RT-N66U, etc.) are assumed vulnerable.” Model RT-AC87U with the latest firmware that was released on December 31, 2014, is also vulnerable.
Workaround available for custom firmware versions
If users relying on the stock firmware version have to wait for an update, those running the custom version released by Eric Sauvageau (RMerlin), have the choice of a workaround until the fix from ASUS is integrated.
Sauvageau wrote a command for the firewall available in the supported routers to block any attempts at exploiting the vulnerability; if JFFS is enabled, the rule is reboot-persistent, so restarting the device keeps it protected:
#!/bin/sh iptables -I INPUT -p udp --dport 9999 -j DROP
If JFFS is turned off, users can run the same command, but protection will last until the next reboot of the device or making changes that require restarting the firewall.
Another solution is to kill the vulnerable “infosvr” at each boot. Drake offers an ironic method, which consists in using the exploit of the glitch in order to make the router safe from internal attack, by running the following command:
$ ./asus-cmd "killall -9 infosvr" [...]
Disabling the service is all the more recommended for the set-ups where additional network devices are not available; however, if they did exist and their address in the network was known, then “infosvr” is not essential.
Important to note is that although the flaw is serious, it cannot be taken advantage of unless the attacker is already connected to the network. If the owner trusts completely the individuals joining the network, or if none of them is sufficiently skilled to exploit the flaw, then there should be no real risk.