Multiple security vulnerabilities have been discovered by security researchers at IOActive in the BHU Wi-Fu “uRouters” of the Chinese market.
Security researchers at the security testing firm IOActive have revealed that the BHU Wi-Fi “uRouter” that is manufacture and sold solely in China is full of security holes that make it a dangerous device to use for anyone.
The device, despite its attractive and unique design, is a nightmare from the software and security point of view, according to Tao Sauvage of IOActive. The router’s security is so lax that an unauthorized user can easily bypass authentication, access the sensitive information stored in the router’s logs, and even run OS commands with root privileges.
Since the interface is solely designed for Chinese speaking users, the researcher analysed the firmware of the router. Doing so revealed a path traversal restricted to .html files and that no authentication was required to access the system logs of the router. This means that sensitive information like session ID (SID) values of the admin cookie could be hijacked by the attacker to use the device as the administrator.
Moreover, the attacker does not even require an admin to login to his router and for the router to store his cookie for this purpose, because all the uRouters have a hardcoded SID: 70000000000000 on all their devices. Since the SID is constant across reboots and a user has no way of changing it, the attacker can enjoy admin privileges indefinitely.
However, that is not the end of the security flaws in this uRouter. Researchers found that there is a hidden user dms:3, which could be a backdoor account. The router accepts any SID cookie value as proof of authentication of the user. When the researchers found that an attacker could use the router as an administrator, they tried to gain root privileged, and were able to inject OS commands as well. Although the command needs to be HTML encoded to enable successful XML parsing, it does run with root privileges.
The simplicity of hijacking this router is worrying. An attacker can easily eavesdrop on a user’s traffic using tcpdump. He or she can even modify the configuration for redirection of the traffic to any address they want, remove critical files from the device, or insert a persistent backdoor into the device. No firewall protection is offered against an attacker trying to access it from the WAN is the router is connected to the internet. The router has SSH enabled by default and re-writes the hardcoded root-user password whenever it boots.