So This Is What Getting Pwned Is Like

EDIT: NullFluid points out that they aren’t the group that performed the intrusive scan but are only hosting the text file. [0]

There was a definite sense of dread when I started reading the txt file [1] disclosing a massive flaw in Asus routers. I’ve had an RT model ASUS for nearly two years now and recently hooked up a giant USB hard drive to it so I could stream movies from my blueray player. But I thought there was no way I was affected since I went through the settings for the FTP service and disabled all outside access. I did leave the FTP security set to anonymous because I thought anyone not logged into my WPA2 protected wifi couldn’t even see the service.

Out of curiousity I entered ‘ftp://[my external ip address]‘ into my browser and sat wide eyed when I saw the contents of my media server show up. I reasoned it must be because I’m already inside the network (which doesn’t even make sense really) but panic was starting to set in. So I pulled out my phone and turned off the wifi connection and tried it there. Now I was worried.

I started downloading the torrent of directory listings and quickly turned the FTP service off. I checked the pastebin with all the IP addresses that had the dir listing bug [2] and there was my IP address. Worry was now turning to fear. After the torrent finished I looked for my IP address and found that it was under ‘partial listings’.

There’s no point in my denying that I got pwned because in the file listings are things like ‘OLIVER_DAY_GMAIL_COM_201401052241083414.pdf’ which is a copy of a boarding pass I downloaded. I’d started pushing stuff from my Downloads folder onto the media drive for convenience sake. I’m not worried about what’s on that drive however I’m terrified by the idea that someone replaced a file with some malware and then I opened it assuming I was safe.

I’m also going through memories of flaky wifi in the last month plus some weird issues with the drive itself and wondering if it was due to others accessing my drive at the same time I was. It’s a really sickening feeling although I got off pretty lucky. In my life I’ve had friends who were pwned by rival hackers and had entire mail spools dumped, financial information leaked, etc. All I lost was a directory listing and some face.

Going through the file listings of other IP addresses I see insanely personal items like whole backups of laptops, family photos, porn collections, and tax documents. Anyone that has the list of IP addresses can potentially download any of those files. I wrote some python to walk through the list of IP addresses and check to see if logging in anonymously is still possible. I’m not bothering to look at anything just see if ftp.login() works and recording the statistics. The numbers are not reassuring. The code is also on pastebin for those who want to run it and help report the numbers. [3]

While I’m not entirely opposed to the idea of full disclosure I’m not sure I agree with nullfluid’s Brothers Grim, et al dump of vulnerable IP addresses. Even though this act caused me to discover the vulnerability in my own hardware I’m not okay with the idea that he took a snapshot of my FTP directory and made that part of the torrent. What was the point in that? It would have been just as effective to list the IP address and I would have reacted and benefited the same. All he’s they’ve done is made certain people way bigger targets because the listing shows movies, or music, or porn, or very very personal files. If nullfluid Brothers Grim, et al is going to poke into everyone’s drives anyway why not leave a note in the root of the FTP directory warning the user of the vulnerability? That’s the biggest problem I have with his their approach is he they told the world but he they didn’t tell the victims. Fine I’ve patched my Asus router and now question whether I should keep it at all. I agree it was a very poor decision on Asus’s part to make those default settings the way they were and I doubt I’ll turn the FTP service back on anytime soon. But including full directory listings of all these victims is on you nullfluid Brothers Grim, et al. It was a mistake on your part and you should apologize to us all.

[0] The text file lists the following as the crew that performed the scan: The Brothers Grim, Chuck Palahniuk, Gargamel, Debra Morgan, Gollum, Voldemort, Skeletor, Duke Igthorn
[1] http://nullfluid.com/asusgate.txt
[2] http://pastebin.com/ASfYTWgw
[3] http://pastebin.com/fpB7U1gb http://pastebin.com/HWLASXaY http://pastebin.com/zunt8jeu

Creative Commons License
The So This Is What Getting Pwned Is Like by Zeroday 01100100011010010, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Share Alike 3.0 License.

Post a Comment

You must be logged in to post a comment.