gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
75319 Posts in 13188 Topics by 2636 Members - Latest Member: falcogiallo August 22, 2017, 09:13:33 am
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  ASUS Router Concern
gfx
gfxgfx
 

Author Topic: ASUS Router Concern  (Read 194 times)

0 Members and 1 Guest are viewing this topic.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
ASUS Router Concern
« on: May 11, 2017, 05:53:37 am »
More things to worry over  :/

https://www.theregister.co.uk/2017/05/11/asus_routers_need_patching/

Quote
Asus RT wireless routers have joined the SOHOpeless list – with poor cross-site request forgery protection affecting 30 variants of the devices.

The design blunders, labeled CVE-2017-5891, hit RT-AC and RT-N variants using firmware older than version 3.0.0.4.380.7378.

The lack of CSRF protection means that if the user has left the default credentials – admin:admin – in place, or if an attacker knows the admin password, a malicious webpage can log into the router when visited by the victim.


Nothing new in this story bar the makers name, but something that might be exploited, patch now  :)

Offline Pri

  • MX Hosts
  • *****
  • *****
Re: ASUS Router Concern
« Reply #1 on: May 11, 2017, 09:19:49 pm »
These companies complete disregard for standard security is incredibly alarming. How are the programmers working on this software (which is hugely complicated) missing something as obvious as CSRF protection?

To put this kind of attack in perspective by not having CSRF tokens it is possible for you to open a website in your browser which makes requests to your router by leveraging your browsers Javascript engine and the fact you're on the same network as your router. CSRF tokens should be inserted into all submit forms on the user interface of the router and rotated on each login so that they're unique so that attacking websites cannot create a valid form that the router will accept.

This is very basic stuff, almost the most basic protection imaginable when creating any kind of web application be it banking, e-shopping, forum message sending etc - For them to miss this giant glaring issue is honestly shocking beyond belief considering they are selling millions of routers.

Like I could literally make a website with some hidden javascript you cant see and post the link to you and take over your router. Brick it, open port numbers, lock out computers.. anything I want. Totally ridiculous.

Even my Minecraft website I wrote that has online auctions and shopping for virtual goods (using made up monopoly money, not real money) has CSRF protection so attackers cant steal my players cash or items through attacks like these.

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: ASUS Router Concern
« Reply #2 on: May 13, 2017, 01:43:01 am »
Quote
This is very basic stuff,
almost as if the firmware were written as cheaply as possible to maximize profit... it seems the only stuff worth a damn is open source and/or a product that sells for a premium...

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  ASUS Router Concern
 

gfxgfx
gfx
©2005-2017 WinMXWorld.com. All rights reserved.
SMF 2.0.14 | SMF © 2017, Simple Machines
Page created in 0.03 seconds with 23 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!