Asus RT-AC and RT-N devices have several CSRF vulnerabilities allowing malicious sites to log in and change settings in the router, multiple JSONP flaws allowing exfiltration of router data and an XML endpoint revealing WiFi passwords.
ASUS RT routers like many other routers come with a built-in web interface that is accessible over the local network but normally not accessible via the Internet. The discovered flaws exist within that web interface that would promote attacks on the router either via a malicious site visited by a user on the same network, or a malicious mobile or desktop application running on the same network.
Vulnerabilities details:
Flaw #1 – Login Page CSRF:
The router doesn’t have any kind of CSRF protection, thus allowing a malicious website to submit a login request to the router without the user’s knowledge.
Flaw#2 – Save Settings CSRF:
Many pages within the interface that can save settings do not have CSRF protection which means that a malicious site, once logged in would be able to change any settings in the router without the user’s knowledge.
Flaw#3 – JSONP Information Disclosure Without Login:
Two JSONP endpoints exist within the router which allows detection of which ASUS router is running and some information disclosure.
Flaw#4 – JSONP Information Disclosure, Login Required:
There exist multiple JSONP endpoints within the router interface that reveal various data from the router including.
Flaw#5 – XML Endpoint Reveals WiFi Passwords:
An XML endpoint exists in the router which reveals the WiFi password to the router but to fully exploit this issue, it would require a mobile or desktop application running on the local network since XML cannot be loaded cross-origin in the browser.
Affected Routers:
RT-AC55U
RT-AC56R
RT-AC56S
RT-AC56U
RT-AC66U
RT-AC88U
RT-AC66R
RT-AC66U
RT-AC66W
RT-AC68W
RT-AC68P
RT-AC68R
RT-AC68U
RT-AC87R
RT-AC87U
RT-AC51U
RT-AC53U
RT-AC1900P
RT-AC3100
RT-AC3200
RT-AC5300
RT-N11P
RT-N12 (D1 version only)
RT-N12+
RT-N12E
RT-N18U
RT-N56U
RT-N66R
RT-N66U (B1 version only)
RT-N66W
Affected devices that are not running the latest firmware version are vulnerable. Owners of affected routers should install the latest firmware ASAP.