官方售后网站：/support/
- [阅读权限 50]&...
良品店重要公告 /1
因为春节临近，物流陆续停运，供货商放假，本店将于1月23日到2月18日放假，期间拍下产品将于正月十五后陆续发货，具体发货日期年后通知。放假期间客服不定时上线值班，所有售后问题将顺延至正常上班后处理，敬请谅解。最后一批购买的顾客，快递可能比较慢，还请耐心等等。放假期间下单的顾客可参考页面描述，部分款有特惠的哦，如果等不及的，可以自行申请退款，淘宝会自动处理退款。
良品店恭祝大家万事顺利
with Discuz! X3.2全面披露华硕十款无线路由器 - AiCloud启用单位的多个漏洞_Nuclear'Atk 网络安全研究中心
全面披露华硕十款无线路由器 - AiCloud启用单位的多个漏洞
Full Disclosure ASUS Wireless Routers Ten Models - Multiple Vulnerabilities on AiCloud enabled units
From: kyle Lovett &krlovett () gmail com&
Date: Sun, 14 Jul :39 -0400
--------------------------------------------------------------------------------
From: kyle Lovett &krlovett () gmail com&
Date: Sun, 14 Jul :39 -0400
--------------------------------------------------------------------------------
Note: In June I released a partial disclosure for just the RT-N66U on
the issue of directory traversal. I have only heard back from ASUS a
twice on the issue, and I understand they are working on a fix.
However, no serious attempt to our knowledge has been made to warn
their customers in the meantime, even after multiple requests from
several different security professionals.
Nor has ASUS posted a disclosure of these serious issues to new
potential customers on their AiCloud web adverts, since they still
advertise the product as an add-on with these routers, as a safe and
bug free home cloud solution.
Linux 2.6.xx kernel
All firmware versions known
-------------------------------------------------------------------------------
Vulnerable Asus Models
Dual-Band Wireless-AC1750 Gigabit Router
Dual-Band Wireless-AC1750 Gigabit Router
Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch
Dual-Band Wireless-N900 Gigabit Router
Dual-Band Wireless-AC1200 Gigabit Router
Dual-Band Wireless-AC1200 Gigabit Router
Dual-Band Wireless-AC1200 Gigabit Router
Wireless-N300 Cloud Router
Wireless-N300 Gigabit Router
Wireless-N300 Gigabit Router
-------------------------------------------------------------------------------------
Vulnerabilities - Due in large part to an exposed $root share on the
NVRAM for Samba service, which was discovered in March of this year by
another researcher, on almost all of the above models that have
enabled AiCloud service, the end users will find themselves exposed to
multiple methods of attack and several dangerous remote exploits.
Since authentication can be simply bypassed on the those units running
HTTPS WebDav via directory traversal, access to all files which
control services on either side of the router are wide open to remote
manipulation. All pem and key files are also openly available.
Credentials-
Almost all models will disclose a clear text creational file, making
any MD5 hashing on the /etc/shadow file meaningless. This file below
remains easily accessible, and has no encryption. It may vary a bit in
where it sits on a small percentage of routers configured a certain
(The -L and -v switches are optional)
curl -v https://&IP&/smb/tmp/$dir/lighttpd/permissions -k -L
curl -v https://&IP&/smb/tmp/lighttpd/permissions -k -L
PPTP Tunnel-
VPN service can be enabled, configured and connected by altering a
five small files on any of the four models of the RT66 series routers.
Everything needed to achieve this can be found in the directory at
/smb/tmp/$dir/pptpd, and the pptpctrl file as well as pptpd service
are in the /sbin dir.
Local executable or modifiable scripts-
The files needed to create a Dropbear ssh service can be found at
/smb/tmp/etc/dropbear/ with its pid sitting in /var. In /smb/tmp/bin
and /smb/tmp/sbin sit well over a dozen executables such as netcat,
ftpget, logger, wol, tr and sendmail. Several services, two of which
/smb/sbin/vsftpd and /smb/sbin/telnetd can be configured or
altered there too. Other shell scripts, not native to the routers, can
be uploaded and used in an attack with little difficulty.
On the RT-N16 and N16R, once the https credentials are entered, an
attacker can easily move to the admin console on the LAN side by
changing the path to /index.asp. While the list of tools available to
an attacker might seem endless, there is no doubt that once the
AiCloud service is enabled, it would take just one person a few
minutes to completely control of all traffic coming in and out of the
LAN, gain access to all LAN side resources by a VPN or through another
service, and could choose to sniff packets, do a hard DoS or launch
attacks on other systems.
Mitigation and Workarounds-
Disable all UPnP services
Disable any and all of the three AiCloud items which will open the vulnerability
Remove any remote access to the router for administration until a patch is ready
Change the default username and password
If the AiCloud service is used, it would be advisable to change that
password if it was the same one used or the router
本文“”，来自：，本文地址：，转载请注明作者及出处！}