Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Administrator auto-logout design flaw in ASUS wireless routers

From: David Longenecker <david () securityforrealpeople com>
Date: Tue, 19 Jan 2016 08:42:34 -0600
ASUS wireless routers have an optional feature (beginning with firmware
3.0.0.4.374_5656, dated April 2014) to log the administrator out after a
period of idle time. While there are scenarios where you might want to keep
an idle logged-in session, remaining logged in makes it possible for a
malicious hacker to use that session by tricking the user into clicking a
link.

Models based on the ASUSWRT firmware up to and including the most recent
version as of this writing - version 3.0.0.4.378_9460 (dated 2015-12-29) -
rely on the browser to enforce the auto-logout function. The
firmware implements the administrator auto-logout function via JavaScript
in the browser.

A code review demonstrating exactly how this is implemented is posted at
http://www.securityforrealpeople.com/2016/01/administrator-logout-flaw-in-asus.html

Ultimately this places control of the auto-logout in the hands of the
client (either the web browser or the person) instead of it being
controlled by the server, defeating the purpose of an auto-logout
feature. It's an improvement over not having the feature at all, but better
still would be to have the time kept by the router, and have the router log
the admin account off after the selected time has elapsed, instead of
relying on the client.

If the user has disabled JavaScript, this function is never triggered.
Users not in the habit of explicitly logging out of websites may simply
close the web UI window, expecting the router to automatically terminate
the session after a set time. In both cases, an administrative session
remains open on the router without the operator's knowledge.

Lack of an auto-logout function itself is not necessarily a security flaw,
but In my opinion an improperly implemented auto-logout feature is a
security risk, in that the a security control the operator has enabled does
not function as expected.

This line of firmware is used on most modern ASUS wireless routers; I
specifically have tested the RT-AC87U and RT-AC66U, but the same code base
is used across many other models in the RT-XXXX line.

This was first reported to ASUS on December 13, 2014. It was acknowledged
but never changed.

Details are at
http://www.securityforrealpeople.com/2016/01/administrator-logout-flaw-in-asus.html,
and any updates will be appended.

Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: