Can I remove OEM plugin and ensure a clean system?

[jiakai]

Hi,

Thanks for this awesome project!

I just got my RT-AC86U from a local retailer today and have successfully flashed Asuswrt-Merlin. However, I found that an OEM plugin seems to be there:

It translates as "Netease UU Accelerator", and does not go away after a hard reset (using Method 2). The source of the webpage is located at /www/UUAccelerator.asp

I feel very suspicious about this so called accelerator, and I am unsure if it collects and uploads any traffic data.

Is it possible to remove all these OEM plugins and make sure that I have a clean system? Thanks!

 

[ATLga]

Hi,

Thanks for this awesome project!

I just got my RT-AC86U from a local retailer today and have successfully flashed Asuswrt-Merlin. However, I found that an OEM plugin seems to be there:

View attachment 30569

It translates as "Netease UU Accelerator", and does not go away after a hard reset (using Method 2). The source of the webpage is located at /www/UUAccelerator.asp

I feel very suspicious about this so called accelerator, and I am unsure if it collects and uploads any traffic data.

Is it possible to remove all these OEM plugins and make sure that I have a clean system? Thanks!

That is very very suspicious. Some sort of Chinese game accelerator.
Did you purchase from Chinese online retailer?
Older thread discussion - https://www.snbforums.com/threads/asus-ax88u-advanced-firmware-flash.64566/

 

[Netbug]

Very odd that it still showing after installing merlin firmware, i wouldn't touch it with a barge pole to be honest if it were mine. It must be being stored somewhere for it to still be there after flashing merlin firmware, makes you wonder what else could be lurking on there even though you hard reset and flashed merlin firmware to it.

 

[netware5]

Maybe flashing in rescue mode using Asus Firmware Restoration Tool will help?

 

[jiakai]

Thank you all for these replies!

Yes I bought the router from a Chinese online retailer.

I am wondering how this is done technically. The menu entry can be removed by deleting the corresponding lines in /www/require/modules/menuTree.js . My modification persists after reboot. However, if I flash the router again (through the web GUI), the file is restored to the version including the UUAccelerator, and all files have the same modification time Jan 31 04:56.

I will try rescue mode flashing later. If this is due to some official Asus region lock mechanism, I suspect that won't work either.

I hope at least I can find out what modifications are applied on the flashed firmware. Maybe there are "post-flash hook scripts" stored somewhere...

 

[ColinTaylor]

You can't remove it because it's part of the firmware, just like any of the other menu entries. The option only appears on Chinese models.

RMerlin said:

OldFox said:
1 A Chinese language menu/button item has appeared just under Adaptive QoS, which shows on hover "UUAccelerator.asp", only on ac-86u. It has the same icon as Adaptive QoS. My ac86u is likely Chinese sourced, but I always operate it in English.

It means you have a router from China, in which case the router will enable support for this Chinese-only service. The code to enable/disable that feature in the webui is closed source, and outside of my control.

 

[jiakai]

You can't remove it because it's part of the firmware, just like any of the other menu entries. The option only appears on Chinese models.

RMerlin said:

How is this implemented? Clearly /www/require/modules/menuTree.js does not match any file in the merlin repo. I am also able to hide the menu entry by modifying menuTree.js.

I'd like to understand how the flashed files get modified, and how I can extract a diff with respect to the official merlin firmware.

 

[jiakai]

Maybe flashing in rescue mode using Asus Firmware Restoration Tool will help?

Rescue mode flashing does not help ...

 

[ColinTaylor]

I'd like to understand how the flashed files get modified, and how I can extract a diff with respect to the official merlin firmware.

Sorry, I don't understand what you're looking for. Merlin's firmware is the same as Asus' in this respect, there's nothing to diff.

As Merlin's said, it comes from a closed source component of the firmware.

 

[jiakai]

Sorry, I don't understand what you're looking for. Merlin's firmware is the same as Asus' in this respect, there's nothing to diff.

As Merlin's said, it comes from a closed source component of the firmware.

Sorry I am new to this whole Asus router stuff and I misunderstood how the firmware works (and I did a wrong search on github). I thought the official menu should use i18n instead of directly including some Chinese characters, and I hypothesized that the configuration was somehow modified after the firmware got flashed.

You are right. This item is already in the official merlin release (link here). It is also in the firmware image, which can be found by extracting the image using binwalk -e.

Now I understand that there should be some closed source part for controlling whether to display this item. This can be traced down by searching get_ui_support, which reveals it is implemented in httpd

% ag get_ui_support --search-binary
www/Main_Login.asp
301:var ui_support = [<% get_ui_support(); %>][0];

www/state.js
375:var ui_support = [<% get_ui_support(); %>][0];

www/mobile/js/plugins.js
955:var ui_support = JSON.parse(JSON.stringify(httpApi.hookGet("get_ui_support")));
968:ui_support = httpApi.hookGet("get_ui_support");

Binary file usr/sbin/httpd matches.

Thanks!

 

[Tyger Moth]

How is this implemented? Clearly /www/require/modules/menuTree.js does not match any file in the merlin repo. I am also able to hide the menu entry by modifying menuTree.js.

I'd like to understand how the flashed files get modified, and how I can extract a diff with respect to the official merlin firmware.

I Have the same issue... Can you describe the process steps for hiding the menu entry to me.
I am new to ASUS-WRT Merlin, having just installed their firmware for the first time. Thanks

 

[jiakai]

I Have the same issue... Can you describe the process steps for hiding the menu entry to me.
I am new to ASUS-WRT Merlin, having just installed their firmware for the first time. Thanks

I did not try to hide the entry. I just found out that the reason is that the http server somehow reads the location code in the firmware and displays this menu entry. It does not seem to do much harm since everyone is using the same firmware.

 

[aaronc]

I did not try to hide the entry. I just found out that the reason is that the http server somehow reads the location code in the firmware and displays this menu entry. It does not seem to do much harm since everyone is using the same firmware.

Interesting. So different regions share the same firmware, but the firmware would differentiate the menu entries based on the region code, is that right?

I have a Chinese-sourced AX88U with "Netease UU Accelerator" as well. My concern is that ASUS would potentially implement region-specific firmware for compliance, which reduces the privacy. I now live in the USA and definitely don't hope to get involved in any confusion of jurisdictions. But your response seem to have this clarified.

BTW, thank you for your effort exploring this issue.

 

[Yota]

I did not try to hide the entry. I just found out that the reason is that the http server somehow reads the location code in the firmware and displays this menu entry. It does not seem to do much harm since everyone is using the same firmware.

I did a review of this feature, please note that I am not running any code, so I don’t know how it works, but it is possible to download an unknown binary file from a server I don’t trust (non-asus server), which makes me feeling scared.


Here is my process, you can reproduce it:


I first searched the various directories of the firmware, because if it exists, the program must be somewhere. But I didn't find it, so I guessed it built in some binary files, I first tried to find the RC program.


I didn't find any traces in the source code of RC, so I started to search for precompiled binaries of RC. Sure enough, I found it:

Open the "private.o" binary file with a text editor, or unzip "/sbin/rc" file on your router and open ".rodata" with a text editor.
You will see something like this:

/var/uu_plugin_dir mkdir -p /tmp/uu wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate 'https://router.uu.163.com/api/script/monitor?type=asuswrt' -O /tmp/uu/script_url download uuplugin script info successfully
URL: %s
MD5: %s
wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate %s -O /tmp/uu/uuplugin_monitor.sh download uuplugin script successfully
md5sum /tmp/uu/uuplugin_monitor.sh | sed 's/[ ][ ]*/ /g' | cut -d' ' -f1 prepare to execute uuplugin stript...

Search by Google, I found the complete source code. It seems that this is a reverse engineering of the asuswrt binary and modified the URL to make it compatible with Merlin.

Spoiler: source code

void exec_uu_merlinr()
{
    FILE *fp;
    char buf[128];
    int download,i;
    char *dup_pattern, *g, *gg;
    char p[2][100];
    if(nvram_get_int("sw_mode") == 1){
        add_rc_support("uu_accel");
        mkdir("/tmp/uu", 0755);
        download = system("wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate 'https://router.uu.163.com/api/script/monitor?type=asuswrt-merlin' -O /tmp/uu/script_url");
        if (!download){
            _dprintf("download uuplugin script info successfully\n");
            if ((fp = fopen("/tmp/uu/script_url", "r"))!=NULL){
                fgets(buf, 128, fp);
                fclose(fp);
                unlink("/tmp/uu/script_url");
                i=0;
                g = dup_pattern = strdup(buf);
                gg = strtok( g, "," );
                while (gg != NULL)
                {
                    if (gg!=NULL){
                        strcpy(p[i], gg);
                        i++;
                        ++download;
                        gg = strtok( NULL, "," );
                    }
                }
                if ( download > 0 )
                //if ( download == 2 )
                {
                    _dprintf("URL: %s\n",p[0]);
                    _dprintf("MD5: %s\n",p[1]);
                    if ( !doSystem("wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate %s -O /tmp/uu/uuplugin_monitor.sh", p[0]))
                    {
                        _dprintf("download uuplugin script successfully\n");
                        if ((fp = fopen("/tmp/uu/uuplugin_monitor.config", "w"))){
                            fprintf(fp, "router=asuswrt-merlin\n");
                            fprintf(fp, "model=\n");
                            fclose(fp);
                        }
                        if((fp=popen("md5sum /tmp/uu/uuplugin_monitor.sh | sed 's/[ ][ ]*/ /g' | cut -d' ' -f1", "r")))
                        {
                            memset(buf,'\0',sizeof(buf));
                            if((fread(buf, 1, 128, fp)))
                            {
                                buf[32]='\0';
                                buf[33]='\0';
                                if ( !strcasecmp(buf, p[1]))
                                {
                                    pid_t pid;
                                    char *uu_argv[] = { "/tmp/uu/uuplugin_monitor.sh", NULL };
                                    _dprintf("prepare to execute uuplugin stript...\n");
                                    chmod("/tmp/uu/uuplugin_monitor.sh", 0755);
                                    _eval(uu_argv, NULL, 0, &pid);
                                }
                            }
                            pclose(fp);
                        }
                    }
                }
            }
            free(dup_pattern);
        }
    }
}
#endif

Then I open the URL and it link to a script

{"md5":"1ff500d5c9f4a742f9bff78723c78790","output":null,"status":"ok","url":"https://uu.gdl.netease.com/asuswrt/r201910101020/uuplugin_monitor.sh"}

The "uuplugin_monitor.sh" script then uses the next URL to download the UU main program.

https://router.uu.163.com/api/plugin?type=asuswrt-<MODEL>&sn=<SN>
like this:
https://router.uu.163.com/api/plugin?type=asuswrt-rtac68u&sn=H2IA0Z001234

I opened the URL and it showed:

{"md5":"a0db062e1538d9e33c00d39ce40cf48e","output":null,"status":"ok","url":"https://uu.gdl.netease.com/uuplugin/asuswrt-rtac68u/v2.11.0/uu.tar.gz"}

I downloaded the main program, which is a binary file. Its download link can be adjusted according to different models, different versions and different SN, which means it can be used for targeted attacks.


So, I want to say that this feature can download any binary file from any server at any time, and no one can review whether the binary file is safe.

And this feature is built into RC, which means it cannot be removed.

I uploaded the file I downloaded today to the attachments, please remove the ".txt" extension to open the file.

 

[DallasFlier]

LOL, gotta love it!

"I just got my RT-AC86U from a local retailer today and have successfully flashed Asuswrt-Merlin."

A few messages later:

"Yes I bought the router from a Chinese online retailer."

 

[jiakai]

I did a review of this feature, please note that I am not running any code, so I don’t know how it works, but it is possible to download an unknown binary file from a server I don’t trust (non-asus server), which makes me feeling scared.


Here is my process, you can reproduce it:


I first searched the various directories of the firmware, because if it exists, the program must be somewhere. But I didn't find it, so I guessed it built in some binary files, I first tried to find the RC program.


I didn't find any traces in the source code of RC, so I started to search for precompiled binaries of RC. Sure enough, I found it:

Open the "private.o" binary file with a text editor, or unzip "/sbin/rc" file on your router and open ".rodata" with a text editor.
You will see something like this:

/var/uu_plugin_dir mkdir -p /tmp/uu wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate 'https://router.uu.163.com/api/script/monitor?type=asuswrt' -O /tmp/uu/script_url download uuplugin script info successfully
URL: %s
MD5: %s
wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate %s -O /tmp/uu/uuplugin_monitor.sh download uuplugin script successfully
md5sum /tmp/uu/uuplugin_monitor.sh | sed 's/[ ][ ]*/ /g' | cut -d' ' -f1 prepare to execute uuplugin stript...

Search by Google, I found the complete source code. It seems that this is a reverse engineering of the asuswrt binary and modified the URL to make it compatible with Merlin.

Spoiler: source code

void exec_uu_merlinr()
{
    FILE *fp;
    char buf[128];
    int download,i;
    char *dup_pattern, *g, *gg;
    char p[2][100];
    if(nvram_get_int("sw_mode") == 1){
        add_rc_support("uu_accel");
        mkdir("/tmp/uu", 0755);
        download = system("wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate 'https://router.uu.163.com/api/script/monitor?type=asuswrt-merlin' -O /tmp/uu/script_url");
        if (!download){
            _dprintf("download uuplugin script info successfully\n");
            if ((fp = fopen("/tmp/uu/script_url", "r"))!=NULL){
                fgets(buf, 128, fp);
                fclose(fp);
                unlink("/tmp/uu/script_url");
                i=0;
                g = dup_pattern = strdup(buf);
                gg = strtok( g, "," );
                while (gg != NULL)
                {
                    if (gg!=NULL){
                        strcpy(p[i], gg);
                        i++;
                        ++download;
                        gg = strtok( NULL, "," );
                    }
                }
                if ( download > 0 )
                //if ( download == 2 )
                {
                    _dprintf("URL: %s\n",p[0]);
                    _dprintf("MD5: %s\n",p[1]);
                    if ( !doSystem("wget -t 2 -T 30 --dns-timeout=120 --header=Accept:text/plain -q --no-check-certificate %s -O /tmp/uu/uuplugin_monitor.sh", p[0]))
                    {
                        _dprintf("download uuplugin script successfully\n");
                        if ((fp = fopen("/tmp/uu/uuplugin_monitor.config", "w"))){
                            fprintf(fp, "router=asuswrt-merlin\n");
                            fprintf(fp, "model=\n");
                            fclose(fp);
                        }
                        if((fp=popen("md5sum /tmp/uu/uuplugin_monitor.sh | sed 's/[ ][ ]*/ /g' | cut -d' ' -f1", "r")))
                        {
                            memset(buf,'\0',sizeof(buf));
                            if((fread(buf, 1, 128, fp)))
                            {
                                buf[32]='\0';
                                buf[33]='\0';
                                if ( !strcasecmp(buf, p[1]))
                                {
                                    pid_t pid;
                                    char *uu_argv[] = { "/tmp/uu/uuplugin_monitor.sh", NULL };
                                    _dprintf("prepare to execute uuplugin stript...\n");
                                    chmod("/tmp/uu/uuplugin_monitor.sh", 0755);
                                    _eval(uu_argv, NULL, 0, &pid);
                                }
                            }
                            pclose(fp);
                        }
                    }
                }
            }
            free(dup_pattern);
        }
    }
}
#endif

Then I open the URL and it link to a script

{"md5":"1ff500d5c9f4a742f9bff78723c78790","output":null,"status":"ok","url":"https://uu.gdl.netease.com/asuswrt/r201910101020/uuplugin_monitor.sh"}

The "uuplugin_monitor.sh" script then uses the next URL to download the UU main program.

https://router.uu.163.com/api/plugin?type=asuswrt-<MODEL>&sn=<SN>
like this:
https://router.uu.163.com/api/plugin?type=asuswrt-rtac68u&sn=H2IA0Z001234

I opened the URL and it showed:

{"md5":"a0db062e1538d9e33c00d39ce40cf48e","output":null,"status":"ok","url":"https://uu.gdl.netease.com/uuplugin/asuswrt-rtac68u/v2.11.0/uu.tar.gz"}

I downloaded the main program, which is a binary file. Its download link can be adjusted according to different models, different versions and different SN, which means it can be used for targeted attacks.


So, I want to say that this feature can download any binary file from any server at any time, and no one can review whether the binary file is safe.

And this feature is built into RC, which means it cannot be removed.

I uploaded the file I downloaded today to the attachments, please remove the ".txt" extension to open the file.

Thanks so much for digging this out! It does scare me...

To summarize, the official firmware downloads some binary from a third-party provider, and they even explicitly add --no-check-certificate.

 

[jiakai]

LOL, gotta love it!

"I just got my RT-AC86U from a local retailer today and have successfully flashed Asuswrt-Merlin."

A few messages later:

"Yes I bought the router from a Chinese online retailer."

Well, I currently live in China. I bought it from an online retailer. It is local in the sense that I place the order online and pick it up at a local location in a few hours. I did not want to complicate background of the first post so I did not include the details.

 

[duepointe]

I did a review of this feature, please note that I am not running any code, so I don’t know how it works, but it is possible to download an unknown binary file from a server I don’t trust (non-asus server), which makes me feeling scared.

Can blocking these domains 163.com and netease.com using host file prevent the download an unknown binary file from the server? Thanks for this.

 

[TonyK132]

On my system, a ping using Network Tools tab got a response from netease.com but not 163.com. I got the IP address for both, then put them into the BAN list in Skynet. Now both are being blocked. That's good, but I do not know if those individual IP addrs are a sufficient block, or if I need to block a /24 range or a ASIN range. Just to be safe, I blocked both /24 ranges but not sure if that is overkill or insufficient