Security researchers at IOActive have discovered multiple security vulnerabilities in the BHU Wi-Fi “uRouter,” a device that is manufactured and sold in China.
Although it is a nice looking device, the router is a nightmare when it comes to security, IOActive’s Tao Sauvage explains. Built specifically for the Chinese market, the router’s web interface was no use for an English speaker, and the researcher decided to attempt to extract the firmware instead and analyze it.
After gaining access to the firmware, the researchers took a closer look at the handler for GET requests and discovered the first security flaw, a path traversal, though restricted to .html files. Next, there’s the lack of authentication when accessing the router’s system logs, despite the fact that the logs do contain sensitive information.
Among these sensitive details, the researchers discovered the session ID (SID) value of the admin cookie, which allows an attacker to hijack the admin session and reboot the device. What’s more, even if the admin never logged in, an attacker could still use the hardcoded SID: 700000000000000 for this nefarious operation. Even worse, the SID is constant across reboots and the admin has no way of changing it, which means that an attacker has access to all authenticated features.
But things go further downhill, the researchers reveal: the router also includes a hidden user called dms:3, which could be a backdoor account. Moreover, the router was found to accept whatever SID cookie value is provided to it as proof that the user is authenticated.
Once the researchers determined that the router could be accessed as administrator, they attempted to gain root privileges and discovered that OS command injection was indeed possible. According to IOActive, the command runs with root privileges but needs to be HTML encoded so that the XML parsing is successful.
“The security of this router is so broken than an unauthenticated attacker can execute OS commands on the device with root privileges! It was not even necessary to find the authentication bypass in the first place, since the router uses 700000000000000 by default when no SID cookie value is provided,” the security researchers explain.
An attacker successfully compromising the router could eavesdrop the traffic on the router using tcpdump, modify the configuration to redirect traffic wherever they would want, insert a persistent backdoor, or brick the device by removing critical files from it. Moreover, there’s no default firewall rules to prevent attackers from accessing the feature from the WAN if the router is connected to the Internet.
Not only was the security of the router broken, but the researchers also discovered that the BHU WiFi uRouter enables SSH by default at boot and that it rewrites its hardcoded root-user password every time it boots up. The admin cannot modify or remove the hardcoded password, but anyone “who knows the bhuroot password can SSH to the router and gain root privileges,” the researcher says.