Hacking ASUS Routers

the besides DC 2017 videos are brought to you by threat quotient introducing the industry's first threat intelligence platform designed to enable threat operations and management and data tribe a new kind of startup studio co building the next generation of commercial cyber security analytics and big data product companies so I submitted my talk originally it's supposed to be case study on hacking aces routers specifically from the application layer there were many other people chosen the front of me and I was chosen as a backup speaker and now you know why how can I can work on this if you want to go hang this under like in your slides up ok thank you ok so my talk is about so I'm

an application security engineer my background is a software developer I don't mess with routers in a regular basis or on an annual basis and what I do is I do security on application layer that means Java apps web apps no GS apps we don't descend below level seven however I happen to have a router and I got curious about what's actually inside the router and firmware it's kind of one of the things I never had a chance to look into so I spend one night unpacking the firmware and like just started looking into it and what I found in there is actually I got five CVS of her actually hack into the router but all of

them are still on application layer there's nothing on the network layer so again so my talk was really about thank you it's about even things that we don't expect from the application layer we don't expect those things to be in routers but are there anyway so I'm a sorta developer I work for a big financial institution who wishes to rename unnamed you could google it and I have some background in around anti-spam piping so if you know what SPF is and DKIM I was involved in those things many years ago I also wrote the RFC for comma separated value files if you use those I'm going to talk about expectations and this is my standard warning don't hack

your friend as permission now there's two parts to this talk first I'm just gonna run through the process my total process of what I went through and then I want to show you what exactly that was that I found so I'm not a pen tester I'm a developer I'm the guy that and testers hate because I install stuff on my computer that you don't want to see what happens is that I never dealt with firmware I know hypothetically what firmware is I know what a router is I know what it's running but I never actually looked into it so I have an Asus router and over the years I was curious what's inside the router so they if you know anything

about Asus they're not exactly very regular with their updates so when I didn't come up with an update I was kind of trying to figure out is there a way for me to kind of crack it open and see what's inside now for those of you who work with routers all day it's probably a no-brainer but for me coming as a software developer way way up in the stack the router to me is a box it's a box you stick on a network and you let it do its own thing so what was curious to me what basically is the point of my talk is I started from the application layer and I ended up in application layer even though it

was a router now this way this basically took about a night I download the firmware I open the buffer I found the file what in the world is a file it turns out it was some sort of a Linux partition and again I'm just going on blindly I'm opening the files I'm looking into them so I open the file now one thing I do know is that routers do not run Windows and if you have a router just running Windows you probably shouldn't be having it inside the router there JSON files and the ASP files now ASP files are dotnet IAS files they do not belong in routers so obviously there's something something's funny so this was

the essentially the command flow is that I took the file IO download Ben walk I opened it up never he's been walked before and here's what I found now I'm not interested from my point of view and looking into the sea source and the command the luminescent configurations and there that's not what my expertise is in so what I was looking for is just curious just see what's in there so I see these ASP files now in the application security world and ASP file is a Windows I script obviously that's not what the router is supposed to have but when I went in and inside these files it's actually turned out to be HTML and JavaScript for whatever reason

ace has decided to package their web UI files as a SPS there's some sort of an engine interprets them I don't know what the engine is I didn't think into it but what I did see is a DOS or JSON code now once it Duggan into all the way down what I saw was JSONP now JSONP for those who are not familiar is that the browser security model prohibits us from loading JavaScript files across domains JSONP is a way to kind of bypass that and if you tell the server here's my callback function in JavaScript and give me the JSON what it does is it doesn't just return the JSON file to you it also

wraps around and executed the callback function you provide what happens is that to bypass the security model instead of using the standard ways you load it you would do is a simple script include udo script include you pass it to your server it loads your JSON now a router is not a place where you've wanna find JSONP and in the second part I'm going to actually show you what that looked like but essentially what that means is you can do calls into the web UI of the router and you can get stuff back this is an example of what one of the files looks like again I don't know what the engine is I didn't dig enough

into it there must be something Linux see what it is exactly I don't know but what you do see is it's kind of like it's putting some data into it now at that point what I'm have is I have the router that's working with the UI and I have my source code and the names start to match some names match some names don't match so I'm not in an outer world anymore now I'm back to where I started were my expertise lies which is application security now what I'm looking at the router I'm no longer looking at it as a box I'm looking at it as somebody wrote a UI they have a web application which

is insecure it happens to be running in the router versus a conventional computer but that's what I'm looking at so I started looking at it now this point is I'm not thinking in terms of ports I'm not thinking in terms of what services are running on the router I'm looking from a point of view of an application security engineer and what we're looking what if or is this is a web UI there are common things that are described in the OS top ten that web UI is have they're vulnerable those are some of the things you can start with but basically just start looking around as if treating it not as a router but as any other application so

I started looking at this there was no specialized tool and not use Burke a lot of Chrome I put up the developer tools in chrome and I just started going to the router UI and if the firmware is bad from what I hear the UI apparently was even worse the quality of the code at least I saw the JavaScript was from a security angle was pretty bad so at this point over a couple days so I found one I found two found three - four eventually or five different CVS if you follow the entire chain all the way to its end you can take over anybody driver now there is a very big difference in

web security and application security how you take things off okay how you take something over vs. network level and in part two I'm going to go through it now at this point so I just spent a couple nights looking at a router I've got a bunch of issues now what am I supposed to do with it if I was a black hat hacker I know what I'm supposed to do with it now luckily for aces or not I Canada aces now aces took a while I always go through cert for those of you who've dealt with responsible disclosure it's kind of cert isn't always helpful but if a says this if the vendor decides to go back after

you at least you have a second individual independent party that was involved eventually they fix that one of them we still have a disagreement on they don't want to fix it I think it's an issue they don't think it's an issue and I'll show you what the issue looks like about a talking about a month to fix it Aibileen extra months afterwards to actually disclose it the funny thing happened is once it was disclosed and again I don't know why this issue over any other should the media suddenly picked her up high reported an issue in a single router model based on what the users are started sending to me 45 the somewhere between 40 to 50 different

aces models are affected I think pretty much every single one Easter's officially only release patches for specific ones but as sort of these other things start coming out of the woodwork they start affecting the rest of them the last issue is being worked on as far as enough for at least for the router that I worked on which is the RT and 56 they do not have a fix however they do have a fix for everything else so bottom line is is that from me as an application security engineer it's good to be curious even though I'm I don't touch the network level stuff in this case it was a good it was a good thing and a lot of times

we have silos that we work in specific areas we don't necessarily always follow things now what I wanted to do at this point is when I actually go through the seven vulnerabilities in interesting thing about aces aces is actually under a legal consent decree because their orders are not secure and I believe d-link is going through the same issue the Federal Trade Commission is slowly going through all the various router vendors and suing them to force them to do security that I think that that is I think one of the reasons why Asus responded so fast because my experience with other vendors even Google has not been that fast there's 42 models everything it's RT - since I wrote the

slide I think that the number crept up a little bit because some of the routers Artie is the retail model there's also the 4G models there's a couple of other variations everything prior to 2017 is a fact that there is at least two open source projects derived from the Asus firmware I think one is the Asus wrt one is the Merlin project if they copy code from Asus and Asus is very good about GPL disclosure then they are probably affected I did not test them to give you a scale in terms of sort of the rest of the internet their market share at least according to what the industry people are saying is 4.3 percent in last year

for the high-end Wi-Fi routers basic anything over 100 bucks there our share is much more it's like 13% now very important point is the last one this is not Network level that means you cannot just go into show them or sensors or anything like that and start scanning every single IP you will not find these issues because this is a web security issue not a network security issue this quotation is path is different in some ways it's easier in some ways is much harder so it's not something you could just your pop open from a port so these are the CVEs that I found there are essentially are four of them miter miter when they assign them I

think they were recently I asked for two they signed for there's a fifth one so these these are basically r4 and what these four are are as follows the first one is the one that's the worst that is known as the CSRF now CSRF attack relies on the fact that you don't have state in the browser when the browser talks to the website there is no state so there's various tricks that we do to establish state the most common is a cookie but essentially is if you're logged into beta my telecom any other website can start posting stuff to the same to send them in because the browser will just take the cookie and send it over now

that is not something you want to see in a router because if you do have a CSRF issue in your router that means you can actually do a post to the router UI from any other site and change things the next two are somewhat less of an issue if you do have connectivity to the router then I mentioned earlier there's a callback you can do callback from any other website remember there's no web security at this point because the people that all do you I chose to bypass it by putting in JSONP you to call the router and you get stop back and I'll show you some of the examples of what you can get back but there's a lot of

interesting things that come out of the router you have to be authenticated the third one is there's an unoffending here endpoint if you want to go and start attacking your users and you wanna see who has a router or who doesn't that's the endpoint you would use you could choose once you know what they lack on the local network looks like you call that endpoint as a matter of fact the official Asus application that they have Android that's the same thing and then you can actually detect whether somebody's running or not running an Asus router and then the vulnerabilities are listed in order of the CPU numbers not in order of severity the last one is

the Wi-Fi password disclosure there's an endpoint in the router will give you the Wi-Fi password now at this point Asus chose to actually make it a little more secure that is an XML endpoint not a JSONP endpoints so web security in browsers at this point kicks in and you can't actually do this but if you manage to somehow cross a natural boundary if you on the user's local network you'll get their Wi-Fi passwords now these are the actual CPUs how do we actually what do we do with them what do we how do we put them together so first of all just to review about CSRF unless you're using a mod of very modern browser with the

latest version of Chrome and using something called same site which is very very new every time you do requests to a site a cookie gets sent back and then establishes a devil established state so that will happen as anybody can sort of write in that session the proper way to get around those issues is that for those who work in application security we have CSRF tokens which are tokens that are generated every single time something comes back from the server and we have this that second token back that is not what is happening in the Asus router JSONP is the other one JSONP is a way to bypass basically any every browser restriction there is JSONP originally was invented

as a way to when the beginnings of security in web browsers were put in that's what how much people starting to figure out we cannot load data from other sites through XML HTTP requests how do we do this so they came up with JSONP which is not really a standard it's a convention but essentially is you could do a script include and you tell the server here's the callback function I want so you can lose script including say callback it will give you back piece of JavaScript rather data and that callback and executed in will in your within the context of your with your machine now what will happen is let's say if you have Bank of America and Bank of America

does this so they have adjacent the endpoint then anyway other website can you just go and do bank robbery on comp slash JSONP and get whatever data does something back in application security world this is very very bad the funny thing is if they were not using JSONP ease of using XML HTTP request which is what most sites are using then web security in the browser kicks in automatically it wouldn't have the session so somebody went out of the way and actually put in the JSON v this is the exploit chain now if you notice destination is very different than Network level network level exploit chain starts with scanning there's no scanning here the first problem is is

that we cannot actually get to the UI of the router because running internally it's running within the local network it should not be accessible from the outside the way you will need to do that you need to get somebody who is on that network to visit a malicious page you could do a watering hole you could do spam you could do a fake you know app whatever it is you have to get somebody to actually click on that link and hit that site it's and it will not work otherwise but once you do that then the next step is let's say you did manage to fish someone you did manage to do whatever it is and now they are on

your site then what we do is is the second step is there's that end point sorry the third that the second step is you have to find out what they appear interests now most browsers most modern browsers support a protocol the protocol called WebRTC which is used for essentially video chatting skyping and stuff like that WebRTC has got a bunch of security holes even though I think there's a black presentation a couple years back essentially here you could tell your browser and ask it what is your local range and will tell you what the local LAN ranges now at that point so let's say you know the local range most routers will sit as the first one so it

says one into one six eight nine nine it will be probably 99.1 that's when you get to the third step is again the user still on that site they hit that site the site runs the JavaScript to do web RTC the next point is it runs the third step which is it calls the JSONP endpoint and says are you alive if it gets a response back that's an Isis router now you are at step four now this may sound like you know this never happens right no no everybody changes their credentials if you look at the studies that been done most abusers do not bother to change their credentials for the router because there are is

inside of arbol so what happens is the AC drivers come with the full potentials the things have been admin password or admin admin that's when the next vulnerability comes in so the CSRF attacks so again we're dealing with several different steps I'm gonna go through all of them but the CSRF attacked and lets you log into the router number five you can use additional endpoints to collect information on the router and number six is when you can actually use the same set of vulnerability to do whatever you want in my example you to none involved access you put an I port you could also for example number seven Asus routers have ability to some logs

remotely you could add also but at that point every setting within the router can be changed and what's interesting there is the user has to be visiting a malicious site and it's saying they don't have to be logged into the router this I can do it all for them and all it doesn't take very long it takes maybe 30 seconds and then then it's done now the first step is obviously the hardest this is this is why this attack is not rated higher because this is not the kind of thing that you can clear out right of warm for this is a kind of thing to just scan all ip's you have to actually trick someone to visit our site

and there are many ways to do that you could phishing spam watering holes whatever it is you have to actually do that first step now a conventional phishing attack lets you when you click a site it asks you ask you for username passwords if a gmail site a lot of the detection mechanisms around fishing will look for that this does not all this needs to do is you visit any site because the user will not see the JavaScript commands that are happening behind the scenes so what they do is at this point you give them some how to visit a malicious site now at that point using WebRTC and that's the link to one of the security one of the security

issues flash is another way for it to leak you can also assume that that one that's zero that one that one's probably default if you're using a mobile app that may work also my router the one that I worked on doesn't have the last issue but some routers actually do if because they control the DNS they have default the mains defined they will always go to router so you could check whether the main is there and then access the endpoint and at that point you'll see whether it's bases around or not an Asus router but the third step is so now you have the visit of the page you either hit you find out what the IP

address was or you hit on those domains that is the endpoint that you need to hit if you hit that endpoint on IP it will give you that information the information is very basic from a security angle that sounds pretty innocent all it's going to tell you is what is the model what is the SSID of the network and what's AP address of it the second one is even smaller but by itself this is the one that we actually still arguing with ASUS about they haven't fixed it because they don't consider this to be an issue I consider this to be an issue because it's another way in further in like for example the model number some of the Asus models

have patches some of them do not if I know what the model number of your router is then I can target specific attacks to that model I think in they are convinced at this point there is this an issue but they haven't fixed it yet so you have you you have your website you call these two endpoints you get some data back now you know the user is running they're running an Asus router this is an example of an actual code that will do that I have it's called in my blog this highway this is a very very basic way of doing it obviously more sophisticated way of doing it but this is how you would do this in JavaScript

you append a child element with a script include you call whatever that endpoint is either will come back when an arrow will come back with the data you looking for next step is the actual login the default login for the router is admin admin it needs to be base64 encoded very simple example just a form you fill Phi the form you do form that submit either you're in and you're not in any way you verify that is the next step but essentially this relies in the fact that the user is not the user will not change their credentials which is true in most cases however I do want to point out in this point this step if they change

their credentials it's not much you can do so it does rely there's multiple steps here that need to happen but based on what I've seen out there and the service they were done most users do not change the credentials if they did change their credentials then you have to go with you know you conventional phishing or something similar so at this point you know there are router IP you know it's running an Asus you know which model is is it's running and you're able to log in to the interface now you can collect additional information here if you want the CV there highlight on top which is the XML one is not accessible from the web but if you make a fake

mobile application or that's application you can access it that gives you the Wi-Fi password I don't know how valuable Wi-Fi password would be or not because if you're local to the network it may be may be valuable if you're not local to it you then the password has to be reusable somewhere else I don't know how true that is the second one is 58 92 there's a second set of JSON endpoints so in the one the previous steps are highlighted again JSONP can be done cross domain this is the second one that I should like in additional information you could get information about the router about things that are attached to it here's some examples information about what the

one link looks like you could get the next to a pretty interesting that as an active scan around all this around the access points there it takes a it takes some time it actually puts Loden on the router you could potentially do as the router that way the next one gives you information about the local network you get origin information information about the external IP the last one can open web dev access to the router the web dev access is routed through another server so all of these things are interesting but I don't know how much you can do with them they're interesting the here's example getting this term I P address now why is this gonna be address

important maybe they open the internal access on the router maybe not most races routers do not have that open but there's an example of what you can collect again very simplistic this is no libraries nothing this is HTML 101 there's nothing complicated here or how you actually get information into the browser this is where everything comes together so at this point you have a user on the same network into visiting a malicious page not a phishing page just a malicious page the page used WebRTC to find out a local IP range we did a JSONP call to figure out Asus router with the CSRF to log in you could where we want because every setting in the browser can be

changed through CSRF the same way that the sierra on login that's this state to the state of your login to the router is there so for example if user is logged in and you don't know their credentials you could do this also but it's easier to just try to log in and you can do all of these various things so what I would do is I would open him on access I would live in the remote access to a high port so Sheldon doesn't find it and I would also limit the remote access to the IP range that I want so I can get in and nobody else can get in if you want to do you

could change user name password I would not recommend this is not something the attacker probably would do is they respond because user may figure out something's wrong but then again how often does somebody log into the router so of all of the vulnerabilities of those four this is the one that's the most severe because this one actually lets you change the settings on the router but to exploit this successfully it's not something you can do from outside you have to actually be user has to be on a local network and they have to be able to hit a page you're giving them I haven't tried weather outlook or something that's web-based but not browser-based can do this I don't think

you can because javascript is limited so you gotta get them to visit a page now this is the admission of UI for the Asus router those are all the various options this just a few of them but it's way way more of them in there and basically this is how you would actually tune on remote access again it's very simple it's a web form you have to be able to you have to be logged in from the people in the previous steps once you logged in basically this is what you do this code is incomplete in purpose but anybody who digs into the UI can figure it out I have not been able to consistently

reproduce it on my router 100% of the time it only works sometimes I suspect there's a timeout of some sort in there other people have reproduces successfully and left comments on the blog and saying that other models don't have the timeout but again this is a very simple very simple attack CSRF form that submit and and that's it you're in there here's another example in the UI also let's say you do not want to do that but you want to see what the person is doing on the router on the network level there is a remote logging server there I don't know how detailed those I don't know whether it goes into actual network level but that's another example you do

a CSRF attack same way and you go and change the settings and then the user doesn't know anything they're not gonna know what's gonna happen so what what's the worst thing you can do you can have any mode that you can have a missionary access the router now one thing also that's interesting which is the last point yeah you can mess with the router you can mess with another experience you could diminish of access you'd also be the former the users not gonna know anything at that point I mean that's also something that can be done through CSRF as well at that point it may become somewhat warmer wool again if there's a worm it's spreading it has to get to the

other users and with application level attacks is kind of hard to do that but yeah if you have a bishop access a router you could update the firmware there's at least two open source ones that are out there it's trivial to download and modify them so that's basically you know just to go back to the exploit chain is you get them to visit the malicious page detect a pea wrench to WebRTC figure out if step three if they have an Asus router login through CSRF number five you could collect the data if you want to it might not be helpful to anyone you could choose not to number six you do remote remote access or change the settings or

firmware whatever it is that you want to do actual malicious activity and then you basically done now one last thing also now I mentioned that this is all about application security however one more thing after I found mine somebody found a bunch of network level ones so just what I will focused on was application security however there are other attacks in the firmware that are also network based there is very little information available about these two CVEs the only that's available is that Asus has not fixed them and it's unclear whether it could be remotely exploitable or locally exploitable but that's where you basically get back into the net sack territory now what I learned from this is that

manufacturers of routers don't I don't know much about security now we would hope they know something about network security but what I found is application security often is even worse it's also important to know what kind of router you have now my the router that I've used the Asus router when I was doing this work which was last December they haven't had any security patches I think for two years at that point since they released this patch which was back in March there's no more patches since since then so I would not necessarily become you know when you're buying a router make sure you know what you're buying and make sure it's updated the other option you could do is go with

open source firmware open source firmware like open wrt Merlyn they some they maintain their stuff better but again the vulnerabilities that I'm discussing here unfortunately are in both because I have it necessarily seen the open source ones fix them before the manufacturer does admin credentials need to be changed that's an important point we think that the network boundary cannot be breached easily in this case a CSRF attack or JSONP attack is something that a lot of people who operate on a network land once early realize and are able to even do applications on it certainly realize the router is a box but it's got a UI if it's got a UI and then it's got an application its

identification by vulnerable CSRF JSONP those kind of things can cross from one side to another and bypass browser security another thing that I do recommend if you want to deal with your browser or with your router which is something a lot of the southern edge of my own routers I do not administer them when I'm logged in to somewhere else I go into anonymous mode in somewhere else and I like that when I'm done why because these kind of attacks and I'm describing can't be done without you knowing it you will not know anything you could be logged into your router and you can be visiting some site and you may not realize there is a piece of

advertising code that brings in a piece of JavaScript and in that piece of JavaScript I was talking to your honor because these type of attacks CSRF j7p in cross from side to side without anybody knowing anything last piece also is that when I was originally trying to find information about the ASA security team there's a lot of interesting stuff out there and none of it was from Asus a lot of and part of the problem oasis is has multiple country sites so some of the attacks here especially on the mobile side which I didn't dig into a lot but if you have an asus app you better make sure it's actually comes from asus and

sending for that stuff if this is if you want to make sure that's an Isis website you got to make sure it's coming from Asus especially since one of these that I've seen is some of the main name stuff those domain names of Asus have registered I'm not actually registered publicly and someone can register them publicly and grab them so there's a lot of a lot of sort of things to keep in mind when you're when you're Virata everything I have here is on my blog on the blog post all of these CVEs have been reported as I said three out of four have been fixed if you have any questions feel free to reach out to the

questions thank you [Applause]