'Directory Traversal' Flaw Exposes Over 700,000 Routers To Remote Hacking

Security researcher Kyle Lovett has uncovered a serious security flaw in some ADSL routers given to customers by ISPs, which leaves them vulnerable to remote hacking. These routers have been distributed in countries such as Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. Some of them were also found in the U.S. and other countries, although in those locales they were sold as off the shelf products, rather than being distributed by the ISPs.

The flaw that allows for the hacking to happen is called a "directory traversal" and appears in the router firmware component called webproc.cgi. The attackers can extract a config.xml file which contains the router's configuration settings, including the administrator's password hashes (which can be easily cracked due to the weak hashing algorithm being used), the ISP connection username and password, the Wi-Fi password, and the client and server credentials for the TR-069 remote management protocol used by some ISPs.

Lovett found the vulnerability in his spare time when he was analyzing an ADSL router a few months ago. He investigated this issue further and found that over 700,000 routers, which included multiple models, were vulnerable to the same security flaw.

The identified router models were:

ZTE H108NZTE H108NV2.1D-Link 2750ED-Link 2730UD-Link 2730E Sitecom WLM-3600Sitecom WLR-6100Sitecom WLR-4100 FiberHome HG110Planet ADN-4101Digisol DG-BG4011NObserva Telecom BHS_RTA_R1A

Lovett found that all of these routers had something in common: the vast majority of the routers were using firmware from the Chinese company called Shenzhen Gongjin Electronics, which also does business under the trademark T&W. This company manufactures networking equipment for router vendors such as D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear.

It's not clear whether Shenzhen Gongjin Electronics even knows about this vulnerability in its firmware at this point in time, or whether it has already patched the firmware and has sent an updated version to its router vendor customers. The researcher has already notified the makers of the routers in which he personally found the vulnerability. He disclosed this vulnerability on Wednesday, at a security conference in UK, which focuses on finding vulnerabilities in embedded devices such as routers, network attached storage appliances, IP cameras and so on.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • d_kuhn
    My in-laws use an ISP provided router - I didn't care for the idea but they're totally non-tech saavy and I'm too far away to give them any support. Personally I use an old Linksys wrt54gs running Tomato for the internet connection (PPPoE to FTTH) that's had wireless disabled and it's only connection is to a Sophos UTM9 VM that's actually providing security. This makes me want to ditch the wrt54gs entirely even though Tomato is by all reports very robust.
    Reply
  • funguseater
    "It's not clear whether Shenzhen Gongjin Electronics even knows about this vulnerability in its firmware at this point in time"

    Or if they put it there themselves.
    Reply
  • f-14
    sounds like something great leader put there on purpose, remember the great firewall, chinese NSA have their own forced back doors on the internet industry.
    Reply
  • hajila
    Very true f-14, and the most insidious are not in the software. Chinese fabs have implanted malicious circuitry that allows for hardware backdoors into many systems. Hopefully they never have cause to use such vulnerabilities.
    Reply
  • fixxxer113
    I can't believe this kind of vulnerability still exists by accident. I remember doing this on a DSL router from the ISP Vivodi about 7-8 years ago and even then I was surprised this could be done.

    You would point your browser to the IP address of the router and that would open the router's homepage. Of course there you were required to login and most users would have set up passwords. If you deleted the last part of the homepage URL (which was the filename of the actual html file loaded), you would end up in the parent directory. There, you would see other pages from the interface but most would show error 401. Most, except the page that contains the "upgrade firmware" and "backup/restore settings" command buttons. You pressed the backup button and voila! You had an .xml file with all the settings of the router. In those days, some routers would even show passwords in plaintext in the .xml file. You would see everything from admin passwords, ISP passwords, port forward settings, services used etc.

    Even then that struck me as weird because I remembered that flaw from the Netscape browser back in 1999 when we used to do that in many many sites and have fun discovering all sorts of folders and files behind them. I simply cannot believe it is still here in 2015. It's either criminal negligence, or just plain criminal ;)
    Reply
  • Foo Bar
    My in-laws use an ISP provided router - I didn't care for the idea but they're totally non-tech saavy and I'm too far away to give them any support. Personally I use an old Linksys wrt54gs running Tomato for the internet connection (PPPoE to FTTH) that's had wireless disabled and it's only connection is to a Sophos UTM9 VM that's actually providing security. This makes me want to ditch the wrt54gs entirely even though Tomato is by all reports very robust.

    Cool story, bro.
    Reply
  • firefoxx04
    Interesting. I don't have this problem running Tomato.
    Reply
  • Avus
    Honestly, CIA and NSA love these kind of routers.... specially most of these routers used in countries that USA like to "watch"...
    Reply
  • pixelpusher220
    sounds like something great leader put there on purpose, remember the great firewall, chinese NSA have their own forced back doors on the internet industry.

    Damn the Chinese..always one step ahead of us! Though the US is trying hard to do the same thing...
    Reply
  • JonnyDough
    Pixel no offense but you're ignorant if you think the Chinese are ahead of us in IT security. Who do you think invented the internet? The DoD.
    Reply