Tao Sauvage, an expert from IOActive, has analyzed a BHU Wi-Fi router that he purchased during a travel. The BHU Wi-Fi router appears like a surveillance box, but according to the analysis of the experts, it is affected by multiple vulnerabilities.
The network device is completely pwnable by an unauthenticated attacker that can access sensitive information.
The expert also explained that the BHU Wi-Fi router comes with hidden users, SSH enabled by default and a hardcoded root password … not so bad for an attacker, what do you think about?
“The BHU WiFi uRouter, manufactured and sold in China, looks great – and it contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.” wrote Sauvage.”
Sauvage has exploited the UART debug pins to extract the firmware and analyzed it, it has found multiple security vulnerabilities.
The expert noticed that the CGI script running everything reveals the session ID of the admin cookie, this means that it could easily hijacked by an attacker that obtains admin privileges.
The BHU Wi-Fi router includes a hard-coded SID, 700000000000000, an attacker can get access to “all authenticated features” by presenting it to the router.
Once presented the above SID to the device, it revealed the hidden user dms:3.
“So far, we have three possible ways to gain admin access to the router’s administrative web interface:
” explained Sauvage.
It is incredible, the BHU Wi-Fi router is full of security holes, the researchers also discovered that the device fails to perform XML address value sanitization, this allows an attacker to carry out an OS command injection. Sauvage claims that the router could be used to eavesdrop on router traffic using a command-line packet analyzer like
The router could be used by attackers to eavesdrop on the device traffic using a command-line packet analyzer like tcpdump or to hijack it for other malicious purposes.
“At this point, we can do anything:
I invite you to give a look to the analysis published by IOActive, it is amazing the number of issues affecting this specific device, and probably many others suffer the same problems.
Lets hope the Chinese manufactured that designed the device, the BHU Networks Technology Co., is now aware how insecure is its router.
Don’t forget that the many powerful botnets leverages on compromised SOHO devices.
(Security Affairs – BHU Wi-Fi router, SOHO router)