The ASUS RT- series of wireless routers rely on an easily manipulated
process to determine if a firmware update is available, and to retrieve the
necessary update binary. In short, the router downloads via clear-text a
file from http://dlcdnet.asus.com, parses it to determine the latest
firmware version, then downloads (again in the clear) a binary file
matching that version number from the same web site. No HTTP = no assurance
that the site on the other end is the legitimate ASUS web site, and no
assurance that the firmware file and version lookup table have not been
modified in transit.
In the link below I describe the issue in detail, and demonstrate a proof
of concept through which I successfully caused an RT-AC66R to "upgrade" to
an older firmware with known vulnerabilities. In concept it should also be
possible to deliver a fully custom malicious firmware in the same manner.
This applies to the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R,
RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U. It may also apply to the
RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same firmware base
but a different sub-version.
This has been fixed as an undocumented feature of the 376 firmware branch
(3.0.0.4.376.x).
Details and POC:
http://dnlongen.blogspot.com/2014/10/CVE-2014-2718-Asus-RT-MITM.html