What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

WL-330NUL (802.11n pocket router) - potential security issue

sfx2000

sfx2000

Part of the Furniture
Interesting.. and with current FW there's no way to disable it - 3.0.0.35

http://router.asus.com/Main_AdmStatus_Content.asp

Let's you bypass the admin login screen and enable telnetd from the WLAN side...

See attached...

Wonder if this is present on other ASUS routers

sfx
 

Attachments

  • WL330NUL_Shell_Access.jpg
    WL330NUL_Shell_Access.jpg
    42.9 KB · Views: 376
How are you so sure you did access that page from the WAN side?
Did you go over to your neighbors, using their Internet connection, their computer and tried to open the given URL?

The given URL usually works (only for certain Asus devices) only from the LAN side of the router and should ask for the router login credentials.

[EDIT] Sorry, misread, you wrote WLAN (Wireless LAN), not WAN (Wide Area Network, in this case the Internet).

Still, the page should ask your credentials.
Clear your browser cache, close and restart the browser and try to access the page again.
 
Last edited:
it was from the WLAN side - still a serious security issue with cross-site attacks...

My main concern here though - other devices, do they have the same issue?
 
sfx2000 said:
it was from the WLAN side - still a serious security issue with cross-site attacks...

My main concern here though - other devices, do they have the same issue?
Click to expand...
Well I still like to see your confirmation that you can really access that page without the router ever asked your credentials:
Clear your browser cache, make sure cookies are removed as well, close and restart the browser and try to access the page again.
Does it ask Username and Password now?

My RT-N66U has the same page and the router for sure asks credentials first. Once you are logged in to the router and open the page, it does not ask for credentials again.

Cross Site Attacks would be that the configuration page in the router has malicious code to redirect you to some other page instead of your router configuration.
 
Last edited:
wouterv said:
Well I still like to see your confirmation that you can really access that page without the router ever asked your credentials:
Clear your browser cache, make sure cookies are removed as well, close and restart the browser and try to access the page again.
Does it ask Username and Password now?
Click to expand...

Checked that before I posted - was thinking the same thing myself - that URL doesn't validate the user - so basically from the WLAN side of the device, there isn't any security..

Cross Site Attacks would be that the configuration page in the router has malicious code to redirect you to some other page instead of your router configuration.
Click to expand...

this is exactly how issues like this become problems - it doesn't need to be local...
 
jlake said:
Are you talking about number 1?

http://www.cvedetails.com/vulnerability-list/vendor_id-3447/Asus.html
Click to expand...

This is another issue - but also with this device, depending on the mode it is in, the admin page isn't always on http://192.168.1.1

the www.asusnetwork. net URL is also scary - this is not an official ASUS URL - takes you to a "support" site of sorts, but it ain't ASUS...

ASUS did fix that in the 3.0.35 firmware release for that device - to get to the admin page - router.asus.com - but that doesn't really fix anything does it?
 
You must log in or register to reply here.

Similar threads

sfx2000
Asus WL-330NUL Pocket Router
Replies
8
Views
11K
unmesh
U

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 587 (members: 9, guests: 578)
Back
Top