Hackers could gain access to sensitive configuration data such as administrative credentials through a directory traversal flaw in at least 700,000 ADSL routers which have been distributed worldwide.
Kyle Lovett, a security researcher, discovered the webproc.cgi firmware flaw that lets attackers take over your routers provided by your Internet service provider. Although the vulnerability is not new, it has remained unpatched, leaving users susceptible to hackers.
The vulnerable devices include such device models from D-Link, Sitecom, WLR, FiberHome, Planet ADN, Digisol, Observa Telecom and ZTE. So if you own any of these routers, you are most certainly at risk. There are hundreds of thousands of other models that are vulnerable to this flaw. By country, users affected come from the U.S., Colombia, Moldova, Iran, Peru, Chile, Egypt, China, Italy, India, Argentina, and Thailand.
Using the directory traversal vulnerability, hackers will be able to extract sensitive files, who also contain the configuration settings of the routers, meaning that attackers will have full control of your device once they break into it. In addition to the configuration settings, the files involved also store password hashes, ISP connection usernames and passwords, the password for the configured wireless network and client and server credentials for remote management protocol.
It was found that the password hashes, because weak, are easy to crack, enabling hackers to log in to the routers as administrators and alter the device’s settings, including the DNS. Now this is a crucial setting, because once a DNS is compromised, the users will be redirected to a fake server even as they try to access legit websites.
But these vulnerabilities are not the only flaws that came out following a security investigation. Lovett found that a great majority of those routers contain support account that has hard-coded password which the researcher claims is easy to guess. And this password is in common use among the owners of the support account. This vulnerability is present even in routers that do not even have the directory traversal flaw.
Also, the active memory of the routers are remotely exposed to hackers, meaning the attackers have full view of the memory dump that contains data about the Internet traffic that passes through those devices. As a result, hackers could also gain access to several website credentials in plain text.
Based on the IP addresses discovered in recent attempts to exploit the routers, Lovett claims the attackers are coming from China. Aside from the remotely controlling the routers, attackers can also launch the attack from within local networks through a malware or cross-site request forgery technique.
