This article is more than 1 year old
IOActive turns up the most SOHOpeless router so far
Pwnable any way you like
It could be the worst router in the world: a cheapie from China that IOActive reckons is completely pwnable all ways from Sunday.
Bought by a travelling staffer, Tao Sauvage, the BHU Wi-Fi router looks almost indistinguishable to a surveillance box. As Sauvage writes: “An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.”
Bad? Wait, there's more: there are hidden users, default SSH with a hard-coded root password, and the box “injects a third-party JavaScript file into all users' HTTP traffic”.
To get that, Sauvage extracted the firmware over the UART, and accessed the Linux shell to access the file system.
That's where the fun started. The CGI script running everything reveals the session ID of the admin cookie, for an easy admin hijack, but why bother? The router includes a hard-coded SID, 700000000000000: if an attacker presents that to the router, they get access to “all authenticated features”.
Presenting that SID revealed the hidden user, dms:3
.
And even better, after a bit more work: “whatever SID cookie value you provide, the router will accept it as proof that you’re an authenticated user”. Goodness.
It couldn't get worse, but it does: commands like Traceroute run with root privilege, making escalation a snap, because attackers can run OS commands without authentication.
“At this point, we can do anything:
- Eavesdrop the traffic on the router using tcpdump
- Modify the configuration to redirect traffic wherever we want
- Insert a persistent backdoor
- Brick the device by removing critical files on the router ".
The SSH config combines with the root user password – reset to the default value at each reboot, in case a sysadmin tried to change it – to give any outsider access to the device.
Not to mention the JavaScript injector, and as a final treat, a kernel module called dns-intercept.ko
that Sauvage promises to give a more detailed look in the future. ®