ASUS wireless routers have an optional feature (beginning with firmware 3.0.0.4.374_5656, dated April 2014) to log the administrator out after a period of idle time. While there are scenarios where you might want to keep an idle logged-in session, remaining logged in makes it possible for a malicious hacker to use that session by tricking the user into clicking a link.
Models based on the ASUSWRT firmware up to and including the most recent version as of this writing - version 3.0.0.4.378_9460 (dated 2015-12-29) - rely on the browser to enforce the auto-logout function. The firmware implements the administrator auto-logout function via JavaScript in the browser. A code review demonstrating exactly how this is implemented is posted at http://www.securityforrealpeople.com/2016/01/administrator-logout-flaw-in-asus.html Ultimately this places control of the auto-logout in the hands of the client (either the web browser or the person) instead of it being controlled by the server, defeating the purpose of an auto-logout feature. It's an improvement over not having the feature at all, but better still would be to have the time kept by the router, and have the router log the admin account off after the selected time has elapsed, instead of relying on the client. If the user has disabled JavaScript, this function is never triggered. Users not in the habit of explicitly logging out of websites may simply close the web UI window, expecting the router to automatically terminate the session after a set time. In both cases, an administrative session remains open on the router without the operator's knowledge. Lack of an auto-logout function itself is not necessarily a security flaw, but In my opinion an improperly implemented auto-logout feature is a security risk, in that the a security control the operator has enabled does not function as expected. This line of firmware is used on most modern ASUS wireless routers; I specifically have tested the RT-AC87U and RT-AC66U, but the same code base is used across many other models in the RT-XXXX line. This was first reported to ASUS on December 13, 2014. It was acknowledged but never changed. Details are at http://www.securityforrealpeople.com/2016/01/administrator-logout-flaw-in-asus.html, and any updates will be appended. Regards, David Longenecker Connect: Blog <http://securityforrealpeople.com/> | @dnlongen <https://www.twitter.com/dnlongen> | LinkedIn <https://www.linkedin.com/in/dnlongen/> PGP key: https://keybase.io/dnlongen _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
