ASUS RT Series Routers FTP Service - Default anonymous access

2014-02-13 Thread kyle Lovett 
Five ASUS RT series routers suffer from a vendor vulnerability that
default FTP service to anonymous access, full read/write permissions.
The service, which is activated from the administrative console does
not give proper instructions nor indications that the end user needs
to manually add a user to the FTP access table.

The vendor was first alerted to this issue in late June of 2012, and
then four other times officially from July 2012 to December 2012. It
was not until January of this year, when the editors for the Norwegian
publication IDG/PC World went to ASUS that any official response came.

This vulnerability has been exploited aggressively for sometime now,
and as a rolling count which has been kept ongoing since July 2012,
over 30,000 unique IP address, at one time or another have had their
FTP service shared.

The FTP services, when not secured, allows for full read/write access
to any external storage devices attached to the usb drives on the
router.

The vendor has issued an official (beta) patch for the RT-AC68U  as of
mid-January, and plans on additional patches in the coming week.

Models Include:

RT-AC68U
RT-AC56U
RT-AC66U
RT-N66U
RT-N16

CWE-287: Improper Authentication
CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C)

CVSS Base Score 9.4
Impact Subscore 9.2
Exploitability Subscore 10
CVSS Temporal Score 8.2
Overall CVSS Score 8.2

Many have reported malware being uploaded into the sync share folders,
large amounts of unauthorized file sharing and most importantly the
theft of entire hard drives of personal information. Over 7,300 units
are still vulnerable to this weakness as of today.

It is strongly urged that those with any of the above routers check to
ensure that their FTP service has been secured.

Links:
https://www.asus.com/Networking/RTAC68U/#support
http://www.idg.no/pcworld/article281004.ece
http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html
http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html

Research Contact - Kyle Lovett
Discovered - June, 2012

Re: ASUS RT Series Routers FTP Service - Default anonymous access

2014-02-13 Thread kyle Lovett 
Correction: I meant to say 2013, not 2012. I apologize for the error.

On Wed, Feb 12, 2014 at 4:29 PM, kyle Lovett krlov...@gmail.com wrote:
 Five ASUS RT series routers suffer from a vendor vulnerability that
 default FTP service to anonymous access, full read/write permissions.
 The service, which is activated from the administrative console does
 not give proper instructions nor indications that the end user needs
 to manually add a user to the FTP access table.

 The vendor was first alerted to this issue in late June of 2012, and
 then four other times officially from July 2012 to December 2012. It
 was not until January of this year, when the editors for the Norwegian
 publication IDG/PC World went to ASUS that any official response came.

 This vulnerability has been exploited aggressively for sometime now,
 and as a rolling count which has been kept ongoing since July 2012,
 over 30,000 unique IP address, at one time or another have had their
 FTP service shared.

 The FTP services, when not secured, allows for full read/write access
 to any external storage devices attached to the usb drives on the
 router.

 The vendor has issued an official (beta) patch for the RT-AC68U  as of
 mid-January, and plans on additional patches in the coming week.

 Models Include:

 RT-AC68U
 RT-AC56U
 RT-AC66U
 RT-N66U
 RT-N16

 CWE-287: Improper Authentication
 CVSS v2 Vector (AV:N/AC:L/Au:N/C:C/I:C/A:N/E:H/RL:OF/RC:C)

 CVSS Base Score 9.4
 Impact Subscore 9.2
 Exploitability Subscore 10
 CVSS Temporal Score 8.2
 Overall CVSS Score 8.2

 Many have reported malware being uploaded into the sync share folders,
 large amounts of unauthorized file sharing and most importantly the
 theft of entire hard drives of personal information. Over 7,300 units
 are still vulnerable to this weakness as of today.

 It is strongly urged that those with any of the above routers check to
 ensure that their FTP service has been secured.

 Links:
 https://www.asus.com/Networking/RTAC68U/#support
 http://www.idg.no/pcworld/article281004.ece
 http://www.thinkbroadband.com/news/6229-new-asus-router-firmware-to-fix-ftp-security-issue.html
 http://www.pcworld.com/article/2087180/asus-simplifies-router-configuration-to-protect-external-hard-drives.html

 Research Contact - Kyle Lovett
 Discovered - June, 2012