'Directory Traversal' Flaw Exposes Over 700,000 Routers To Remote Hacking

Security researcher Kyle Lovett has uncovered a serious security flaw in some ADSL routers given to customers by ISPs, which leaves them vulnerable to remote hacking. These routers have been distributed in countries such as Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy. Some of them were also found in the U.S. and other countries, although in those locales they were sold as off the shelf products, rather than being distributed by the ISPs.

The flaw that allows for the hacking to happen is called a "directory traversal" and appears in the router firmware component called webproc.cgi. The attackers can extract a config.xml file which contains the router's configuration settings, including the administrator's password hashes (which can be easily cracked due to the weak hashing algorithm being used), the ISP connection username and password, the Wi-Fi password, and the client and server credentials for the TR-069 remote management protocol used by some ISPs.

Lovett found the vulnerability in his spare time when he was analyzing an ADSL router a few months ago. He investigated this issue further and found that over 700,000 routers, which included multiple models, were vulnerable to the same security flaw.

The identified router models were:


ZTE H108NV2.1

D-Link 2750E

D-Link 2730U

D-Link 2730E

Sitecom WLM-3600

Sitecom WLR-6100

Sitecom WLR-4100

FiberHome HG110

Planet ADN-4101

Digisol DG-BG4011N

Observa Telecom BHS_RTA_R1A

Lovett found that all of these routers had something in common: the vast majority of the routers were using firmware from the Chinese company called Shenzhen Gongjin Electronics, which also does business under the trademark T&W. This company manufactures networking equipment for router vendors such as D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear.

It's not clear whether Shenzhen Gongjin Electronics even knows about this vulnerability in its firmware at this point in time, or whether it has already patched the firmware and has sent an updated version to its router vendor customers. The researcher has already notified the makers of the routers in which he personally found the vulnerability. He disclosed this vulnerability on Wednesday, at a security conference in UK, which focuses on finding vulnerabilities in embedded devices such as routers, network attached storage appliances, IP cameras and so on.

Follow us @tomshardware, on Facebook and on Google+.