Security researchers at IOActive have discovered multiple security vulnerabilities in the BHU Wi-Fi “uRouter,” a device that is manufactured and sold in China.
According to the security testing firm, an unauthenticated attacker looking to compromise these devices could bypass authentication, access sensitive information stored in the router’s system logs, and even execute OS commands with root privileges. Moreover, the device was found to ship with hidden users, with SSH enabled by default, and with a hardcoded root password, in addition to injecting a third-party JavaScript file into all users’ HTTP traffic.
Although it is a nice looking device, the router is a nightmare when it comes to security, IOActive’s Tao Sauvage explains. Built specifically for the Chinese market, the router’s web interface was no use for an English speaker, and the researcher decided to attempt to extract the firmware instead and analyze it.
After gaining access to the firmware, the researchers took a closer look at the handler for GET requests and discovered the first security flaw, a path traversal, though restricted to .html files. Next, there’s the lack of authentication when accessing the router’s system logs, despite the fact that the logs do contain sensitive information.
Among these sensitive details, the researchers discovered the session ID (SID) value of the admin cookie, which allows an attacker to hijack the admin session and reboot the device. What’s more, even if the admin never logged in, an attacker could still use the hardcoded SID: 700000000000000 for this nefarious operation. Even worse, the SID is constant across reboots and the admin has no way of changing it, which means that an attacker has access to all authenticated features.
But things go further downhill, the researchers reveal: the router also includes a hidden user called dms:3, which could be a backdoor account. Moreover, the router was found to accept whatever SID cookie value is provided to it as proof that the user is authenticated.
Once the researchers determined that the router could be accessed as administrator, they attempted to gain root privileges and discovered that OS command injection was indeed possible. According to IOActive, the command runs with root privileges but needs to be HTML encoded so that the XML parsing is successful.
“The security of this router is so broken than an unauthenticated attacker can execute OS commands on the device with root privileges! It was not even necessary to find the authentication bypass in the first place, since the router uses 700000000000000 by default when no SID cookie value is provided,” the security researchers explain.
An attacker successfully compromising the router could eavesdrop the traffic on the router using tcpdump, modify the configuration to redirect traffic wherever they would want, insert a persistent backdoor, or brick the device by removing critical files from it. Moreover, there’s no default firewall rules to prevent attackers from accessing the feature from the WAN if the router is connected to the Internet.
Not only was the security of the router broken, but the researchers also discovered that the BHU WiFi uRouter enables SSH by default at boot and that it rewrites its hardcoded root-user password every time it boots up. The admin cannot modify or remove the hardcoded password, but anyone “who knows the bhuroot password can SSH to the router and gain root privileges,” the researcher says.
BHU WiFi uRouter also has Privoxy installed on it, a non-caching web proxy with “advanced filtering capabilities for enhancing privacy.” The router uses Privoxy to process all HTTP requests with the filter named ad-insert, which appends a script tag at the end of the body. This script includes a JavaScript file hosted on a server accessible only from China.
“The BHU WiFi uRouter I brought back from China is a specimen of great physical design. Unfortunately, on the inside it demonstrates an extremely poor level of security and questionable behaviors. In addition, the BHU WiFi uRouter injects a third-party JavaScript file into its users’ HTTP traffic. While it was not possible to access the online JavaScript file, injection of arbitrary JavaScript content could be abused to execute malicious code into the user’s browser. Further analysis of the suspicious BHU WiFi kernel modules loaded on the uRouter at startup could reveal even more issues,” the researchers conclude.
Related: Apple Patches RCE Flaw in AirPort Routers
Related: Quanta Routers Plagued by Many Unpatched Flaws
Tags: