Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Zero-Day Found in Humax WiFi Router

An unpatched vulnerability affecting Humax WiFi Router model HG-100R allows attackers to compromise the WiFi credentials and even retrieve the router console administrative password, Trustwave SpiderLabs researchers discovered.

An unpatched vulnerability affecting Humax WiFi Router model HG-100R allows attackers to compromise the WiFi credentials and even retrieve the router console administrative password, Trustwave SpiderLabs researchers discovered.

The vulnerability was found in May 2017, but repeated attempts to alert the manufacturer on it remained unanswered, the researchers say. According to Trustwave, the device is a default brand/version distributed by a major Internet provider in Brazil, while also being used in various other parts of the world.

The issue, Trustwave explains, starts with specially crafted requests sent to the management console, which allow the attacker to bypass authentication. This attack is possible because the router fails to validate the session token while returning answers for some methods in “url/api”.

By exploiting the vulnerability, an attacker could retrieve sensitive information, including the private/public IP addresses, SSID names and passwords.

“The cookie login is basically json data containing uid and pwd encoded in base64: login={“uid”:”admin”,”pwd”:”4cd08a961f5c”};,” the researchers say.

A second issue with the router enables attackers to bypass authentication to access the backup functionality for saving and restoring configuration. This is possible because both ignore the absence of the cookies “login” and “login_token.” Thus, they accept requests to download and upload the full router configuration.

With the help of the backup generation/restore functionality provided by the URLs ‘/view/basic/GatewaySettings.bin’ and ‘/view/basic/ConfigUpload.html’, the security researchers were able to retrieve, change and eventually restore a specially crafted configuration.

By using this vulnerability, an attacker could change the DNS configuration and redirect user’s traffic to servers controlled by the attacker. Thus, they could steal private information, including passwords and banking account information.

While looking at the GatewaySettings.bin file, the security researchers also discovered that it stores the administrative password without any encryption. From byte 96, the file is encoded in base64, and decoding it reveals the password for “admin” (AAAAAAAA) and “root” (humax) users, both saved in clear text.

“If your router allows remote configuration management via the Internet, attackers can easily gain access to it and change configurations that will impact your Internet traffic. However, even if configuration management is not available on the Internet facing interface, attackers can still exploit the vulnerability in locations where WiFi routers are public, for instance in a café or airport,” the researchers say.

To stay protected, and prevent remote exploitation, users should make sure their routers aren’t exposed to the Internet. For that, they should disable the option “Remote Configuration Management.”

“Access your HUMAX WiFi Router via the following URL: http://192.168.0.1 and you should be able to find the credentials on the bottom of the router itself. By default, this configuration is not enabled, but you should double check it to make sure. If you don’t have access to your router, try to contact your Internet Service Provider and ask for support or, perhaps, a new router,” Trustwave concludes.

Related: Asus Patches Vulnerabilities in RT Routers

Related: Cisco Patches Critical Flaw in Small Business Router

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.