Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

BHU Wi-Fi Router Inundated With Security Holes: Researchers

Security researchers at IOActive have discovered multiple security vulnerabilities in the BHU Wi-Fi “uRouter,” a device that is manufactured and sold in China.

Security researchers at IOActive have discovered multiple security vulnerabilities in the BHU Wi-Fi “uRouter,” a device that is manufactured and sold in China.

According to the security testing firm, an unauthenticated attacker looking to compromise these devices could bypass authentication, access sensitive information stored in the router’s system logs, and even execute OS commands with root privileges. Moreover, the device was found to ship with hidden users, with SSH enabled by default, and with a hardcoded root password, in addition to injecting a third-party JavaScript file into all users’ HTTP traffic.

Although it is a nice looking device, the router is a nightmare when it comes to security, IOActive’s Tao Sauvage explains. Built specifically for the Chinese market, the router’s web interface was no use for an English speaker, and the researcher decided to attempt to extract the firmware instead and analyze it.

After gaining access to the firmware, the researchers took a closer look at the handler for GET requests and discovered the first security flaw, a path traversal, though restricted to .html files. Next, there’s the lack of authentication when accessing the router’s system logs, despite the fact that the logs do contain sensitive information.

Among these sensitive details, the researchers discovered the session ID (SID) value of the admin cookie, which allows an attacker to hijack the admin session and reboot the device. What’s more, even if the admin never logged in, an attacker could still use the hardcoded SID: 700000000000000 for this nefarious operation. Even worse, the SID is constant across reboots and the admin has no way of changing it, which means that an attacker has access to all authenticated features.

But things go further downhill, the researchers reveal: the router also includes a hidden user called dms:3, which could be a backdoor account. Moreover, the router was found to accept whatever SID cookie value is provided to it as proof that the user is authenticated.

Once the researchers determined that the router could be accessed as administrator, they attempted to gain root privileges and discovered that OS command injection was indeed possible. According to IOActive, the command runs with root privileges but needs to be HTML encoded so that the XML parsing is successful.

Advertisement. Scroll to continue reading.

“The security of this router is so broken than an unauthenticated attacker can execute OS commands on the device with root privileges! It was not even necessary to find the authentication bypass in the first place, since the router uses 700000000000000 by default when no SID cookie value is provided,” the security researchers explain.

An attacker successfully compromising the router could eavesdrop the traffic on the router using tcpdump, modify the configuration to redirect traffic wherever they would want, insert a persistent backdoor, or brick the device by removing critical files from it. Moreover, there’s no default firewall rules to prevent attackers from accessing the feature from the WAN if the router is connected to the Internet.

Not only was the security of the router broken, but the researchers also discovered that the BHU WiFi uRouter enables SSH by default at boot and that it rewrites its hardcoded root-user password every time it boots up. The admin cannot modify or remove the hardcoded password, but anyone “who knows the bhuroot password can SSH to the router and gain root privileges,” the researcher says.

BHU WiFi uRouter also has Privoxy installed on it, a non-caching web proxy with “advanced filtering capabilities for enhancing privacy.” The router uses Privoxy to process all HTTP requests with the filter named ad-insert, which appends a script tag at the end of the body. This script includes a JavaScript file hosted on a server accessible only from China.

“The BHU WiFi uRouter I brought back from China is a specimen of great physical design. Unfortunately, on the inside it demonstrates an extremely poor level of security and questionable behaviors. In addition, the BHU WiFi uRouter injects a third-party JavaScript file into its users’ HTTP traffic. While it was not possible to access the online JavaScript file, injection of arbitrary JavaScript content could be abused to execute malicious code into the user’s browser. Further analysis of the suspicious BHU WiFi kernel modules loaded on the uRouter at startup could reveal even more issues,” the researchers conclude.

Related: Apple Patches RCE Flaw in AirPort Routers

Related: Quanta Routers Plagued by Many Unpatched Flaws

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.