Researchers have identified a router so fraught with vulnerabilities and so “utterly broken” that it can be exploited to do pretty much anything. An attacker could bypass its authentication, peruse sensitive information stored in the router’s system logs and even use the device to execute OS commands with root privileges via a hardcoded root password.
Tao Sauvage, a Security Consultant with IOActive Labs purchased the device, a BHU WiFi router he nicknamed “uRouter” on a recent trip to China. The device’s web interface was in Chinese but after he opened the router, he was able to extract its firmware, get shell access and analyze its code. Once in, Sauvage reverse engineered some binaries and discovered that there were three different ways to gain administrative access to the router’s web interface.
According to a blog IOActive published on Wednesday the router inexplicably accepts any session ID cookie value a user provides, meaning anyone can be treated as an authenticated user. An attacker could even use a hardcoded session ID, 700000000000000, or read the system logs and use whatever the listed admin SID cookie values are in order to gain access to the router’s authenticated features.
From there it wasn’t difficult to elevate privileges from admin to root user, Sauvage said. Some functions – like one responsible for parsing the XML in the request body and finding the corresponding callback function – didn’t even require a user be authenticated to use them.
Sauvage points out the router fails to perform XML address value sanitization, meaning that it’d be easy for an attacker to carry out an OS command injection, something that can be done with root privileges.
Sauvage claims that the router could be used to eavesdrop on router traffic using a command-line packet analyzer like tcpdump. An attacker could modify its configuration to redirect traffic, insert a persistent backdoor, or brick the device by removing critical files from the device.
The router lacks simple mitigations to prevent attackers from accessing it from a wide area network. “No default firewall rules prevent attackers from accessing the feature from the WAN if the router is connected to the Internet,” Sauvage wrote.
Even after he thought he had discovered every vulnerability in the router, Sauvage says he discovered that on boot it enables SSH by default and rewrites its hardcoded root user password every time it boots.
“This means that anybody who knows the bhuroot password can SSH to the router and gain root privileges. It isn’t possible for the administrator to modify or remove the hardcoded password,” Sauvage wrote, “You’d better not expose a BHU WiFi uRouter to the Internet!”
The router even injects a suspicious looking third party JavaScript file into users’ HTTP traffic. The file is supposed to have “advanced filtering capabilities for enhancing privacy” but Sauvage points out that the file, in addition to an odd looking kernel module that’s also loaded at startup, could easily be leveraged to carry out an attack.
It’s unclear if the router’s manufacturer, Beijing-based BHU Networks Technology Co., Ltd., is aware how insecure the router is. The company’s email server immediately rejected an email request for comment from Threatpost on Friday.
Router security is often overlooked, both by consumers who neglect to update firmware, and companies, who sometimes fail to adequately secure the devices.
Earlier this summer Netgear had to release firmware updates to address hardcoded crypto keys that could have allowed administrator access to the device and given an attacker the ability to implement a man-in-the-middle attack, or decrypt passively captured packets.
Vulnerabilities similar to the ones dug up by IOActive in the BHU router were identified in routers manufactured by Taiwanese company Quanta earlier this year. In that instance the company opted not to fix the issues – backdoors, a hardcoded SSH key, and several remote execution flaws – because it considered the devices end of life.