A slew of routers manufactured in China are fraught with vulnerabilities, some which have existed in products for as long as six years.

Nearly 20 different routers made by the electronics company TotoLink contain multiple remote code execution bugs, suffer from XSS and CSRF vulnerabilities, and contain backdoor credentials.

While primarily based in China, TotoLink actually sells products, including its routers, WiFi access points, and network devices, worldwide.

The RCEs affect 15 different products, including some with firmware that dates back to 2009. Both RCEs allow an attacker to bypass the router’s admin authentication with a HTTP request and a DHCP request.  Although with an HTTP request, because of a hidden form in the latest firmware, an attacker could  execute commands as root.

“From my tests, it is possible to use these vulnerabilities to overwrite the firmware with a custom (backdoored) firmware,” Pierre Kim, one of the security researchers who discovered the issues, wrote today.

Kim and fellow security researcher Alexandre Torres published advisories, as well as proof of concept code for the vulnerabilities, on Thursday.

Nearly 50,000 routers are affected by another issue found by Kim and Torres, a backdoor that exists in eight brands of TotoLink routers. The researchers tested the backdoor, which can be exploited by sending a special request to the WAN IP, against live routers to verify the issue.

Torres and Kim claim backdoor credentials can be found in four additional routers – different from those already mentioned – the company makes. The backdoor can give any attacker on the LAN root privileges simply by executing a few commands and by using default, easy to guess passwords.

As if that wasn’t enough, even more routers TotoLink makes – the iPuppy, iPuppy3, N100RE, and N200RE, are also vulnerable. Each of those routers are vulnerable to CSRF and XSS attacks, according to Kim, who found the vulnerabilities after discovering similar issues in routers manufactured by ipTIME, a Korean company, in April. The potential for attacks is largely due to the fact that authentication comes disabled by default, meaning it’s easy for an attacker to access the configuration and settings inside the router’s LAN. From there they could change the DNS configuration, update the firmware, change the WiFi configuration and more.

TotoLink actually updated the firmware for a dozen different router models this past Monday. While the two researchers point out the company appears to have silently fixed the HTTP RCE in the A2004NS and EX750 routers, the issues in the other routers still remain.

It’s unclear when or if the company is planning to address the outstanding issues. Both Kim and Torres claim in their description of the bugs that they didn’t contact TotoLink, partly because the company used what they call “unethical code.” Emails sent by Threatpost on Thursday, to bring the issues to TotoLink’s attention and to request comment, were not immediately returned.

Categories: Vulnerabilities