KaiserSource@home:~$

Asus DSL-N14U DoS

Affected products

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with the same firmware version.

    DSL-N14U_B1 V.1.1.2.3_805
    

Overview

An issue was discovered on Asus DSL-N14U_B1 v.1.1.2.3_805. An attacker can upload any file to the Firmware box as long as it is renamed as Settings_ProductName.trx (eg. Settings_DSL-N14U-B1.trx). Once the file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in DoS condition.

POC

This PoC can result in a DoS.

Given the vendor’s security, we don’t show the Source Code of shell scripts. However we will inspect the web page source. We will notice the differences before and after the exploitation using reconnaissance tools.

Details

Let’s do an initial ports scan of our router using nmap.

As we can see, services like ssh and jetdirect are running. Now let’s head back to the firmware update page.

We initially inspect the source of the webpage, then we look for an “upload” field in order to find the front-end firmware uploading function. And there it is:

function uiDoUpdate()
{
	var form=document.uiPostUpdateForm;
	var string4 = form.tools_FW_UploadFile.value.search(/DSL-N14U-B1/);

	if (form.tools_FW_UploadFile.value=="") {
		alert("You must select a firmware file to upload.");
	}
	else {
		if (string4 >= 0) {
			form.postflag.value = "1";
			if(model_name == "DSL-N66U" || model_name == "DSL-AC52U")
			{
				showLoading(220);
				setTimeout("redirect();", 220000);
			}
			else if(model_name == "DSL-N55U-C1" || model_name == "DSL-N16U")
			{
				showLoading(152);
				setTimeout("redirect();", 152000);
			}
			else //DSL-N14U ...
			{
				showLoading(182);
				setTimeout("redirect();", 182000);
			}
			setTimeout("chk_upgrade();", 5000);
			form.submit();
		}
		else
			alert("Nuovo file firmware non è valido.");
	}
}

Given the checks, it seems that it can accept firmware belonging to different asus models. What changes visually seems to be the wait time for loading. Loading an image generates the “Invalid Firmware” alert.

But what if we decide to change the name of the image? For example in “Settings_DSL-N14U-B1.trx” ?

So we upload the appropriately renamed png file … what could possibly go wrong? It gets accepted …

Showdown

Once the loading is complete, we run nmap again and…what???

Argh, some services have been been suddenly stopped working as if it was a normal firmware upgrade :/

As long as the router is turned on, the services will not restart. Manual intervention is required in order to restart services properly.