Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

SECURITY: LAN-side security hole - mitigation

Discussion in 'Asuswrt-Merlin' started by RMerlin, Jan 6, 2015.

  1. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    19,720
    Location:
    Canada
    There's currently a security hole in all known versions of Asuswrt and Asuswrt-Merlin that can allow a LAN user to execute a command on the router without requiring authentication.

    LATEST UPDATE:
    Asus resolved the issue with firmware updates released on January 12th for all models. If using the stock firmware then make sure you update to the latest version released on or around January 12th.

    Also, the "brute force" fix I applied in 376.49_5 will most likely be the fix I will stick with (unless Asus's fix involves additional fixes, of course). The code that I disabled is only used at manufacturing time, so there is no point in leaving any of this section of code enabled for production use.

    UPDATE:
    If you are running my firmware, please installe 376.49_5, which has the vulnerable feature of infosvr disabled. Note that this is just a brute force solution where I completely disabled the code responsible for allowing remote code execution. It could have unforeseen consequences, possibly with Asus's Device Discovery tool, or their printer sharing option. It's impossible to say, as I have no real idea what infosvr does exactly.

    This is just a temporary fix, as once Asus comes up with a more appropriate fix, it will most likely replace the current one.

    If you are using the stock firmware, or for some reason cannot update your router, then you can still use the mentioned mitigation tricks posted below.

    Original mitigation trick:
    Unfortunately, someone already publicly disclosed the details on how to exploit this security hole before Asus even had a chance to fix it, so I've decided to post a mitigation method here to allow people to secure their network. I won't post the details of the security hole in public until Asus has had a chance to fix it, and I will moderate any post here that provide any additional detail that could help people to actively exploit the security issue.

    Use one of the two following methods:

    1) If you have JFFS enabled, simply create a firewall-start script with the following:

    Code:
    #!/bin/sh
    iptables -I INPUT  -p udp --dport 9999 -j DROP
    
    Then, restart your firewall:

    Code:
    service restart_firewall
    
    2) If you don't (or won't) enable the JFFS partition, then you will have to telnet/SSH into your router, and manually run that command:

    Code:
    iptables -I INPUT  -p udp --dport 9999 -j DROP
    
    Note that this rule will disappear anytime you reboot your router, or do any configuration change that leads to the router re-configuring its firewall.


    The security hole is *ONLY* exploitable from the LAN, so if you trust everyone on your LAN, then it isn't too serious.

    Again, until Asus publishes an official fix, please don't post any additional detail if you happen to find any. I will actively edit any post that contains any additional information as to how this security hole can be exploited.
     
    Last edited: Jan 13, 2015
  2. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,432
    Location:
    Appalachia
    Does disabling access to this port cause any side-effects?
     
  3. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    19,720
    Location:
    Canada
    It might potentially affect some particular features unrelated to its core routing functionality (so anything related to Internet or LAN traffic should be totally unaffected). I'm not really familiar with that particular service so I can't say for sure as to what can be affected by this change, sorry. Otherwise I would have actually patched the issue rather than issuing this temporary workaround.
     
  4. SO333

    SO333 Occasional Visitor

    Joined:
    Jul 15, 2014
    Messages:
    12
    I don't agree. Although the exploit data packet must be send from the LAN, this could also be triggered externally!
    Think of an evil Java Applet, Chrome Extension, ActiveX Control (do they still exist?) or whatever can send UDP.

    So even if you can trust your LAN users ("they don't even know what a router is") you are susceptible to external attacks ("unfortunately, they click on every link they see" ;-)
     
  5. sinshiva

    sinshiva Very Senior Member

    Joined:
    Nov 8, 2013
    Messages:
    1,030
    Location:
    FL
    that's still triggered internally :p and in cases like you've mentioned, you'd likely NOT be trusting the users on your lan implicitly. regardless; yes, this vuln sucks. The real tragedy here though, imo, is like RMerlin states;
    I guess that 5 minutes of fame is hard to resist
     
  6. BWR

    BWR Regular Contributor

    Joined:
    Aug 11, 2014
    Messages:
    66
    Which service uses that UDP port?
     
  7. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    3,011
    Location:
    United States
  8. sinshiva

    sinshiva Very Senior Member

    Joined:
    Nov 8, 2013
    Messages:
    1,030
    Location:
    FL
    it appears to be some kind of device discovery service, perhaps specifically for finding other asus products. I've actually had this port blocked for a few months and not noticed it impact anything in the router or the web interface.

    [edit/]
    RMerlin took a look at the affected code and mentioned it being some ancient cruft. It has never been exposed WAN side and was meant to serve some basic purpose, so I doubt it's there for any malicious reasons like the database john9527 linked suggests, nor is it named like anything in there. Just some garbage that either needs to be dropped or patched.
     
    Last edited: Jan 6, 2015
  9. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,432
    Location:
    Appalachia
    Does that information apply to this situation?

    I was assuming that the service that is listening on the router would be some proprietary Asus or Broadcom thing.
     
  10. jamestx10

    jamestx10 Occasional Visitor

    Joined:
    Apr 8, 2014
    Messages:
    12
    Location:
    Texas
    This is my first firewall-start script so I am wanting to verify that it is working. Should I see something in the logs?
     
  11. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    3,011
    Location:
    United States
    Like a lot of ports, some ports can be used by different apps for different things. I like the speedguide listings as a general reference to see 'who may be doing what with what'. For most ports, if you look them up you'd probably be surprised at the number of exploits and apps that have been found to use a given port. When I looked at that list, to me it looked the only 'legitimate' users were a couple of games which could possibly be affected by the mitigation.

    As sinshiva said, there is also a reference to the port being used by Asus internally in the firmware, and is very likely where the exploit exists.
     
  12. sinshiva

    sinshiva Very Senior Member

    Joined:
    Nov 8, 2013
    Messages:
    1,030
    Location:
    FL
    no, however, after creating the script you also need to do;

    Code:
    chmod a+rx /jffs/scripts/*
     
  13. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    3,011
    Location:
    United States
    After you reboot....telnet/ssh to the router and

    iptables -L

    and you should see the rule with port 9999 in the input section
     
  14. jamestx10

    jamestx10 Occasional Visitor

    Joined:
    Apr 8, 2014
    Messages:
    12
    Location:
    Texas
    Looks like it is working then. Thanks

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP udp -- anywhere anywhere udp dpt:9999
     
  15. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    19,720
    Location:
    Canada
    I'm not sure it won't get restarted at some point, so I'd suggest also creating the firewall script.
     
  16. seth_space

    seth_space Regular Contributor

    Joined:
    Sep 25, 2012
    Messages:
    67
    This is the culprit ( no disclosure)
    ASUSWRT version 3.0.0.4.376_1071 suffers from a remote command execution vulnerability. A service called "infosvr" listens on port 9999 on the LAN bridge. Normally this service is used for device discovery using the "ASUS Wireless Router Device Discovery Utility",
     
  17. noric

    noric Senior Member

    Joined:
    Jul 26, 2014
    Messages:
    214
    Does this affect every firmware version? Pre-376 too?
    Thanks.
     
  18. Vandergraff

    Vandergraff Regular Contributor

    Joined:
    Feb 4, 2014
    Messages:
    73
    So I assume the LAN includes Guest Network(s) in this case?
     
  19. dualm

    dualm Occasional Visitor

    Joined:
    Nov 28, 2014
    Messages:
    20
    Location:
    Sweden
    I have my second router in "AP Mode". Is this also affected?
    I ran the "iptables -L" on this and it looks "empty" before I apply the firewall rule. Is this normal?

    Code:
    # iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
     
  20. coldwizard

    coldwizard Regular Contributor

    Joined:
    Apr 17, 2014
    Messages:
    175
    Yes to both questions. Normal for AP mode empty rules, and firewall needed since infosvr is running.

    If in doubt, run "netstat -na | grep 999" and if you see port 9999 listening, you need to block access to it to protect that Asus device.
     

Share This Page