Security researcher David Longenecker has identified a flaw in RT series ASUS wireless routers which allows an attacker to install malicious firmware through a MITM attack.





The list of affected devices includes RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, and RT-N56U. However, according to the expert, RT-N53, RT-N14U, RT-N16 and RT-N16R could also be impacted since they use the same firmware base.





Attack Scenario

When the ASUS RT routers check for firmware update, it download a file from http://dlcdnet.asus.com to identify the version and to download the appropriate firmware. The attacker performs MITM attack while the target downloading the first file. That means an attacker can change source of the firmware to his/her server.





Since the flaw allows the installation of maliciously crafted firmware, it can infect the router and an attacker could be able to control target's traffic and steal sensitive data.





Security researcher said "Since there is no SSL connection (no HTTPS), there is no SSL certificate to prove the identity at the other end, meaning we can conduct a man-in-the-middle attack. There are lots of ways to do this, but the easiest is to simply tell the router that dlcdnet.asus.com goes to your server instead of to the actual ASUS server."





"Clicking the 'Check' button on the firmware upgrade screen queries our server instead of ASUS, finds that a "new" firmware is available, and downloads it. ASUS does some file integrity checking that I have not found a way around (though I believe it would be possible to use Firmware Mod Kit to modify a legitimate binary in a way that the upgrader would accept). I was successful though in taking an older genuine firmware (one with specific known vulnerabilities) and renaming it as a newer version. The router happily accepted that and "upgraded" to the older version," he added.













The flaw was reported to the ASUS and the company quietly included an undocumented fix in firmware 3.0.0.4.376.1123 to resolve this vulnerability.



