Router Flaw Allows Loss of Control

Monday, March 23, 2015 @ 03:03 PM gHale


Routers provided via ISPs contain flaws that allow remote hackers to take control, researchers said.

Most of the 700,000 ADSL routers have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to pull out configuration data, including administrative credentials.

RELATED STORIES
Trojan Delivered in Fake Software Update
Huge Botnet Disabled
Malware Couples with Backdoor Trojan
Botnets Continue their Rise

This flaw is not a new thing as other researchers started reported on it since 2011.

Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing. During his investigation, he found hundreds of thousands of vulnerable devices from different manufacturers distributed by ISPs to Internet subscribers in a dozen countries.

The directory traversal vulnerability can end up used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.

The file also contains the password hashes for the administrator and other accounts on the device; the username and password for the user’s ISP connection; the client and server credentials for the TR-069 remote management protocol used by some ISPs, and the password for the configured wireless network, if the device has Wi-Fi capabilities.

The hashing algorithm used by the routers is weak so the password hashes are beatable, Lovett said. Attackers could then log in as administrator and change a router’s DNS settings.

By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers, known as router pharming, have become common over the past two years.

On some devices, downloading the config.xml file doesn’t even require a directory traversal flaw; just knowing the correct URL to its location is enough, Lovett said.

Quite a few of the routers have additional flaws, where 60 percent have a hidden support account with an easy-to-guess hard-coded password shared by all of them. Some devices don’t have the directory traversal flaw but have this backdoor account, Lovett said.

For 25 percent of the routers, it’s also possible to remotely get a snapshot of their active memory, known as a memory dump. This is bad because the memory of such devices can contain sensitive information about the Internet traffic that passes through them, including credentials for various websites in plain text.

By analyzing several memory dumps, Lovett found signs the routers were already undergoing surveillance by attackers, mostly from IP addresses in China.

Most of the vulnerable devices he identified are ADSL modems with router functionality supplied by ISPs to customers in Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. There were also some found in the U.S. and other countries, but they appeared to be off-the-shelf devices, not distributed by ISPs.

Lovett found the vulnerable routers through Internet scans and by using SHODAN, a specialized search engine for Internet-connected devices. Lovett said 700,000 is a conservative estimate and only covers devices targeted remotely because they have their Web-based administration interfaces exposed to the Internet.

Lovett found one commonality: The vast majority of affected routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics, that also does business under the T&W trademark.

Shenzhen Gongjin Electronics is an OEM (original equipment manufacturer) and ODM (original design manufacturer) for networking and telecommunications products. It manufactures devices based on its own specifications, as well on the specifications of other companies.



Leave a Reply

You must be logged in to post a comment.