ASUS routers, which are enabled with the AiCloud service (SSL ports),
are vulnerable to bypass of authentication and sensitive file
disclosure. This vulnerability has been observed in all firmware
versions, though the latest version increases the complexity of the
attack. By sending a special crafted packet, an attacker can exploit a
weakness in the software by calling a non existent file /smb.xml. This
attack leads to sensitive path disclosure and directory traversal.

On the latest 3.0.0.4.374.2xxx firmware versions, specifically in the
the 66 and 68 series routers, have shown a weakness that may allow an
attacker to exploit the /smb.xml vulnerability with a specially
crafted packet to cause a short term denial of service to the AiCloud
service.

The full details were disclosed to the Vendor last month. There are no
known patches or workarounds at this time other than turning off any
remote access to the AiCloud service.

This is not directly related to the clear text password disclosure
made last July. Also, it is strongly advised that the password to the
administrative side of the router be changed from the default, since
hijacking the routers VPN service becomes trivial once access to the
admin console is obtained.

RT-AC68U Dual-band Wireless-AC1900 Gigabit Router
RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router
RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router
RT-N66R Dual-Band Wireless-N900 Gigabit Router
RT-N66U Dual-Band Wireless-N900 Gigabit Router
RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router
RT-N56R Dual-Band Wireless-AC1200 Gigabit Router
RT-N56U Dual-Band Wireless-AC1200 Gigabit Router
RT-N14U Wireless-N300 Cloud Router
RT-N14UHP Wireless-N300 Cloud Router
RT-N16 Wireless-N300 Gigabit Router
RT-N16R Wireless-N300 Gigabit Router

Access Vector: Remote
Access Complexity: High
Authentication: None
Confidentiality Impact: Partial
Availability Impact: Partial

CWE-400: Uncontrolled Resource Consumption
CWE-208 Information Exposure Through Timing Discrepancy
CWE-211 Information Exposure Through Externally-Generated Error Message
CWE-289 Authentication Bypass by Alternate Name

Product Pages:

http://www.asus.com/Networking/
http://www.asus.com/support/

Research Contact - K Lovett
Discovered - January, 2014