Flaw in ipTIME Routers Allows Remote Code Execution: Researcher

A researcher says there are 127 ipTIME router models plagued by a critical vulnerability that can be exploited by an unauthenticated attacker to remotely execute arbitrary code on affected devices.

ipTIME is a brand of networking solutions developed by South Korea-based EFM Networks. The company’s products reportedly account for 60% of the personal networking devices market in South Korea, with roughly 10 million devices deployed in the country.

According to security researcher Pierre Kim, the firmware installed on many ipTIME routers is affected by a flaw that allows a remote attacker to bypass authentication and execute arbitrary code by using DHCP requests. The expert says the bug gives an attacker root access to the device’s embedded Linux system.

Kim says the vulnerability affects the default configuration of ipTIME routers running any firmware version released since 2009, including the latest 9.66 version released in June 2015. The vendor has also released version 9.68 of the firmware for certain devices, but the researcher believes this version is also likely vulnerable.

The researcher has noted that it’s possible to exploit this flaw to overwrite the firmware on ipTIME routers with a custom, backdoored firmware.

The vulnerability was uncovered by Kim in June 2014 and proof-of-concept (PoC) code was developed for it in April 2015. However, the vendor has not been notified.

“From my experience, contacting EFMNetworks ipTIME proved to be useless,” Kim wrote in an advisory published on Monday. “They don’t publish security information in the changelog, they don’t answer to security researchers and they don’t credit them either.”

In an advisory published last week, Kim revealed that ipTIME N104-r3 and likely other routers are also plagued by cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities. These issues have not been reported to the vendor either.

Kim and Alexandre Torres had previously identified a remote code execution (RCE) vulnerability exploitable through HTTP requests. The bug affects a total of 112 routers, Wi-Fi access points, modems, and firewalls from ipTIME.

The experts attempted to notify ipTIME of this RCE bug in March 2015, but without success. They got through to ipTIME in April via the KOREA Computer Emergency Response Team (KrCERT) and the vulnerability was addressed by the vendor a few days later with the release of new firmware for the affected devices.

However, it appears the researcher is unhappy with the way ipTIME handles vulnerability reports, so he has decided to publicly disclose the existence of the latest bugs without informing the vendor.