Warning !! Security failure in official firmware 1970 and 1969 !!

[Badidea]

Yesteday i found out an amazing failure in the ASUS WL-500g Premium.

With the following setup, FTP mode = login to first partition (default setting) in menu "USB applications", "share nodes" in the web configuration of the WL-500gP, just ask to a friend of yours to enter the following adresse in his In browser (xxx.xxx.xxx.xxx = your IP address):

ftp://root:root@xxx.xxx.xxx.xxx

Bingo, this freind "just" has access to the whole system file of the firmware (linux in this case) of your router !!!
Of course after that, anyone who knows your IP, can read for instance :

• your login and pass for Internet Service Provider

• your login for wl-500 configuration

• your keys (wpa or wep) for wifi security

• ...

To summarize, all the secrets you want to keep secret, can be read by anyone on internet, and you're not aware of it !!!

Please, release this information, to force ASUS to fix huge backdoor ASAP. It is present in firmwares 1970 and 1969 of WL-500g Premium.

In the next release, access to "root" user has to be forbidden, with any password, and of course port 21 has to be hide !

To avoid this backdoor temporary, just select FTP mode = disable, but of course, there is no more ftp !!!

Thanks for time and C U.
Bad

[luno]

As a newby here...

1. What is the URL to post bugs...
2. You URL give indeed some access, AND THAT IS WRONG, but in my case it is read-only, so besides privacy matters not such harm is done.

NEVERTHELESS this hole should be solved ASAP.

Tanx anyway to mention it.

[Badidea]

Luno, you have to try from internet of course, not from your lan !

Just have à look in tmp folder, you will find your id and your pass for your ISP !
And if you are a little more curious, you will find your wpa passphrass.

You're right, it is read only, but secret informations are available !
No matter..., it's up to you !

C U
Bad a newby

[pinocten]

badidea

Thx for the heads up.

[luno]

Luno, you have to try from internet of course, not from your lan !

Just have à look in tmp folder, you will find your id and your pass for your ISP !
And if you are a little more curious, you will find your wpa passphrass.

You're right, it is read only, but secret informations are available !
No matter..., it's up to you !

C U
Bad a newby

You are correct I found my passphrase for WPA.

This is indeed A MAJOR HOLE.

How do I transfer this info to ASUS??

Tanx anyway Luno

[Badidea]

Hi Luno,

Yes, it is a big security failure !

Regarding contact to ASUS :

• First I sent a technical query, is it a hasard but it has been erased !

• I sent another one yesteday, I have no answer yet !

• Last but not least, I did try to access to asus forum, a lot of times, but I always failed with this message "Due to vast number of connections online...".
  URL is : http://vip.asus.com/forum/join.aspx?...model=WL-500gP
  if you are more lucky than me, please thanks Asus for their big backdoor !!

I don't know exactly what to think about this backdoor, is it a mistake or is it intentional ?

Thank to release as much as you can this info !
Bad

[IvanS]

Hi Luno,

Yes, it is a big security failure !

Regarding contact to ASUS :

• First I sent a technical query, is it a hasard but it has been erased !

• I sent another one yesteday, I have no answer yet !

• Last but not least, I did try to access to asus forum, a lot of times, but I always failed with this message "Due to vast number of connections online...".
  URL is : http://vip.asus.com/forum/join.aspx?...model=WL-500gP
  if you are more lucky than me, please thanks Asus for their big backdoor !!

I don't know exactly what to think about this backdoor, is it a mistake or is it intentional ?

Thank to release as much as you can this info !
Bad

0) search once more for a security contact on asus web site
1) check if it has not been reported earlier on http://www.securityfocus.com
2) subscribe to bugtraq ml (same site) and ask for a security contact at asus give a very rough description of the problem (I bet if you posted this here all blackhats will already know it, anyway you don't want to give asus one more reason to try to sue you...)
3) if no one answer in a week post what you discovered on bugtraq

[luno]

Hi Luno,

Yes, it is a big security failure !

Regarding contact to ASUS :

• First I sent a technical query, is it a hasard but it has been erased !

• I sent another one yesteday, I have no answer yet !

• Last but not least, I did try to access to asus forum, a lot of times, but I always failed with this message "Due to vast number of connections online...".
  URL is : http://vip.asus.com/forum/join.aspx?...model=WL-500gP
  if you are more lucky than me, please thanks Asus for their big backdoor !!

I don't know exactly what to think about this backdoor, is it a mistake or is it intentional ?

Thank to release as much as you can this info !
Bad

After many retries I got an account I have dropped the problem there, but that was a week ago, and no response yet.

Personally I'm not worried. AFAIK the nieghbours don't know enough about computers. But that's security by obscurity (or nitwits?).

[Sebastian78]

No reply from Asus, no update yet. BTW I'm trying to download 1970 now, but I'm have big problems with the Asus site.

For several tries, I get a message that the activity/download is too high from the site (this is BS, they should get larger capacity then......Asus IS a major player, not a miniscule unimportant company).

When I get to the WL500gP site, several of the downloads Sites wont work, file not found and all that.

The two that do, the download speed is extremely low, I'm getting 4-8 KG/s..... (I'm at work, using a 100 mbit internett connection...)


This is, by lack of a better wording, the largest piece of crap I have ever bought........ Asus, I will never, EVER buy anything you produce and I will be sure to tell people this if they ask for my help..... (and pluease, don't start harrasing me here....this is me being serious).

[citro]

I followed a thread on Asus forum about Security hole in FTP mode firmware 1.9.7.0 (I hope the link works)
The only thing to note is that 1.9.7.1 is beta but it isn't clear if they are working on this bug.

[viktike]

Real big bug!!!
I'm thinking, how can i change the os root password, but i have no idea.
I't visible from the wan, and throw this ftp acces in the /tmp/harddisk/part0/ the content of the usb drive is visable.

Tomorrow I will call Asus!!!
I knew that the firmware is awful, but so much like this????

[viktike]

I've talked finally an asus "expert" who told me, it's definiety made for the a reason, what was to be able to upload firmware throw FTP, if you send the box back to repair.