Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Zero-Day Found in Humax WiFi Router

An unpatched vulnerability affecting Humax WiFi Router model HG-100R allows attackers to compromise the WiFi credentials and even retrieve the router console administrative password, Trustwave SpiderLabs researchers discovered.

An unpatched vulnerability affecting Humax WiFi Router model HG-100R allows attackers to compromise the WiFi credentials and even retrieve the router console administrative password, Trustwave SpiderLabs researchers discovered.

The vulnerability was found in May 2017, but repeated attempts to alert the manufacturer on it remained unanswered, the researchers say. According to Trustwave, the device is a default brand/version distributed by a major Internet provider in Brazil, while also being used in various other parts of the world.

The issue, Trustwave explains, starts with specially crafted requests sent to the management console, which allow the attacker to bypass authentication. This attack is possible because the router fails to validate the session token while returning answers for some methods in “url/api”.

By exploiting the vulnerability, an attacker could retrieve sensitive information, including the private/public IP addresses, SSID names and passwords.

“The cookie login is basically json data containing uid and pwd encoded in base64: login={“uid”:”admin”,”pwd”:”4cd08a961f5c”};,” the researchers say.

A second issue with the router enables attackers to bypass authentication to access the backup functionality for saving and restoring configuration. This is possible because both ignore the absence of the cookies “login” and “login_token.” Thus, they accept requests to download and upload the full router configuration.

With the help of the backup generation/restore functionality provided by the URLs ‘/view/basic/GatewaySettings.bin’ and ‘/view/basic/ConfigUpload.html’, the security researchers were able to retrieve, change and eventually restore a specially crafted configuration.

By using this vulnerability, an attacker could change the DNS configuration and redirect user’s traffic to servers controlled by the attacker. Thus, they could steal private information, including passwords and banking account information.

Advertisement. Scroll to continue reading.

While looking at the GatewaySettings.bin file, the security researchers also discovered that it stores the administrative password without any encryption. From byte 96, the file is encoded in base64, and decoding it reveals the password for “admin” (AAAAAAAA) and “root” (humax) users, both saved in clear text.

“If your router allows remote configuration management via the Internet, attackers can easily gain access to it and change configurations that will impact your Internet traffic. However, even if configuration management is not available on the Internet facing interface, attackers can still exploit the vulnerability in locations where WiFi routers are public, for instance in a café or airport,” the researchers say.

To stay protected, and prevent remote exploitation, users should make sure their routers aren’t exposed to the Internet. For that, they should disable the option “Remote Configuration Management.”

“Access your HUMAX WiFi Router via the following URL: http://192.168.0.1 and you should be able to find the credentials on the bottom of the router itself. By default, this configuration is not enabled, but you should double check it to make sure. If you don’t have access to your router, try to contact your Internet Service Provider and ask for support or, perhaps, a new router,” Trustwave concludes.

Related: Asus Patches Vulnerabilities in RT Routers

Related: Cisco Patches Critical Flaw in Small Business Router

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.