Asus RT-AC and RT-N devices have several CSRF vulnerabilities allowing malicious sites to log in and change settings in the router, multiple JSONP flaws allowing exfiltration of router data and an XML endpoint revealing WiFi passwords.
ASUS RT routers like many other routers come with a built-in web interface that is accessible over the local network but normally not accessible via the Internet. The discovered flaws exist within that web interface that would promote attacks on the router either via a malicious site visited by a user on the same network, or a malicious mobile or desktop application running on the same network.
Flaw #1 – Login Page CSRF:
The router doesn’t have any kind of CSRF protection, thus allowing a malicious website to submit a login request to the router without the user’s knowledge.
Flaw#2 – Save Settings CSRF:
Many pages within the interface that can save settings do not have CSRF protection which means that a malicious site, once logged in would be able to change any settings in the router without the user’s knowledge.
Flaw#3 – JSONP Information Disclosure Without Login:
Two JSONP endpoints exist within the router which allows detection of which ASUS router is running and some information disclosure.
Flaw#4 – JSONP Information Disclosure, Login Required:
There exist multiple JSONP endpoints within the router interface that reveal various data from the router including.
Flaw#5 – XML Endpoint Reveals WiFi Passwords:
An XML endpoint exists in the router which reveals the WiFi password to the router but to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross-origin in the browser.
RT-N12 (D1 version only)
RT-N66U (B1 version only)
Affected devices that are not running the latest firmware version are vulnerable. Owners of affected routers should install the latest firmware ASAP.