That's good news that the newer firmware does not share this issue, but they should patch the old firmware too!
You seem to have amazing patience when reporting such things. I am personally the type of person that will spend all day on the phone with a company until I reach someone who actually knows what I'm talking about & knows who to get ahold of! Until I get ahold of someone who is relevant I find it amazingly difficult to do anything else, it eats away at me until the problem is resolved. LOL. *---* *R. Whitney / **IT Consultant* *Mailing Address:* PO Box 5984, Bloomington, IL 61702 *Google Voice:* (347)674-4835 Blog <http://xnite.org> / Twitter <https://twitter.com/xnite> / Github<https://github.com/xnite> / LinkedIn <http://www.linkedin.com/in/xnite> On Wed, Oct 30, 2013 at 11:00 AM, Craig Young <[email protected]> wrote: > I received the same automated response when reporting a handful of > security flaws to Asus. The following week, I submitted another > message to [email protected] and received a relevant response > within 24 hours. > > On a side note, I checked a different (slightly newer) Asus router > with the most recent firmware and it is not affected -- telnet starts > and stops as expected per the setting in the HTTP UI, the password > remains the same as the admin password, and telnet is not externally > accessible unless the firewall is disabled. > > Best Regards, > Craig Young > @CraigTweets > > On Tue, Oct 29, 2013 at 9:05 AM, Shelby Spencer <[email protected]> > wrote: > > It should be further noted, that setting a password for the telnet > account > > via the /sbin/chpasswd.sh script is only valid until the next reboot > when it > > gets wiped out. > > > > After alerting ASUS, I got the following non-reply. They are not taking > the > > problem seriously (they just closed out the ticket with a generic > response): > > > > Thank you for contacting ASUS Customer Service. > > My name is Joe and it is my pleasure to help you with your problem. > > > > Thank you for contacting ASUS and providing your feedback. Your > information > > has been documented. If you have further questions or concerns, please > > contact us at 812-282-2787 and we will be happy to help you. > > > > Welcome to refer Troubleshooting & FAQ for ASUS products in ASUS website: > > http://support.asus.com/servicehome.aspx?SLanguage=en > > > > If you continue to experience issues in the future, please do not > hesitate > > to contact us. > > > > An email survey will be sent to you within the next 5 days. Please be > sure > > to rate the service I provided to you today. > > > > > > ________________________________ > > From: [email protected] > > To: [email protected] > > Date: Mon, 28 Oct 2013 16:33:52 -0700 > > Subject: [Full-disclosure] ASUS RT-N13U Unsecured Telnet on LAN and WAN > > > > > > The ASUS RT-N13U home router comes configured with an unsecured telnet > for > > user "admin". > > Telnetting in with this user will result in a root shell. The telnet is > not > > configurable from the web interface, nor does changing the password on > the > > web interface's admin user make any difference. I have alerted ASUS to > the > > problem on 10/25/13. I have been able to verify that this telnet > interface > > is visible from both the LAN and WAN. > > > > Sincerely, > > Shellster > > > > _______________________________________________ Full-Disclosure - We > believe > > in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted > > and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > -Craig > http://secur3.us/pub_key.asc > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
