WiFi Router Zero Day Discovered

Wednesday, July 5, 2017 @ 03:07 PM gHale

Humax WiFi Router model HG-100R suffers from a vulnerability that could allow an attacker to compromise the WiFi credentials and even retrieve the router console administrative password, researchers said.

The vulnerability discovered in May 2017 by researchers at Trustwave SpiderLabs starts with specially crafted requests sent to the management console, which could allow the attacker to bypass authentication.

Grid Attack: Understand ‘What We Will See Tomorrow’
Ukraine Attack: An Insider’s Perspective
ICS Malware Linked to Grid Attack
Attack Group Targets Ukraine

This attack is possible because the router fails to validate the session token while returning answers for some methods in “url/api,” the researchers said in a post.

By exploiting the vulnerability, an attacker could retrieve sensitive information, including the private/public IP addresses, SSID names and passwords.

“The cookie login is basically json data containing uid and pwd encoded in base64: login={“uid”:”admin”,”pwd”:”4cd08a961f5c”};,” the researchers said.

Trustwave did release the details of the vulnerability, but only after repeated attempts to alert the manufacturer went unanswered, the researchers said. The device is a default brand/version distributed by a major Internet provider in Brazil, while also being used in various other parts of the world.

A second issue with the router enables attackers to bypass authentication to access the backup functionality for saving and restoring configuration. This is possible because both ignore the absence of the cookies “login” and “login_token.” Thus, they accept requests to download and upload the full router configuration.

With the help of the backup generation/restore functionality provided by the URLs ‘/view/basic/GatewaySettings.bin’ and ‘/view/basic/ConfigUpload.html’, the security researchers were able to retrieve, change and eventually restore a specially crafted configuration.

By using this vulnerability, an attacker could change the DNS configuration and redirect user’s traffic to servers controlled by the attacker. Thus, they could steal private information, including passwords and banking account information.

While looking at the GatewaySettings.bin file, researchers also found it stores the administrative password without any encryption. From byte 96, the file is encoded in base64, and decoding it reveals the password for “admin” (AAAAAAAA) and “root” (humax) users, both saved in clear text.

“If your router allows remote configuration management via the Internet, attackers can easily gain access to it and change configurations that will impact your Internet traffic. However, even if configuration management is not available on the Internet facing interface, attackers can still exploit the vulnerability in locations where WiFi routers are public, for instance in a café or airport,” the researchers said.

To stay protected, and prevent remote exploitation, users should make sure their routers aren’t exposed to the Internet. For that, they should disable the option “Remote Configuration Management.”

“Access your HUMAX WiFi Router via the following URL: and you should be able to find the credentials on the bottom of the router itself. By default, this configuration is not enabled, but you should double check it to make sure. If you don’t have access to your router, try to contact your Internet Service Provider and ask for support or, perhaps, a new router,” Trustwave said.

Leave a Reply

You must be logged in to post a comment.