Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.
The directory traversal vulnerability can be used by unauthenticated attackers to extract a sensitive file called config.xml, which is on most of the affected routers and contains their configuration settings.
The file also contains the password hashes for the administrator and other accounts on the device; the username and password for the user's ISP connection (PPPoE); the client and server credentials for the TR-069 remote management protocol used by some ISPs; and the password for the configured wireless network, if the device has Wi-Fi capabilities.
Most of the models were distributed by ISPs in Latin America, the Middle East and Asia, although Lovett said some could be bought off the shelf in North America, according to a writeup of Lovett's presentation by Lucian Constantin of IDG News Service.
According to Lovett, the hashing algorithm used by the routers is weak so the password hashes can easily be cracked. Attackers could then log in as administrator and change a router's DNS settings.
By controlling the DNS servers the routers use, attackers can direct users to rogue servers when they try to access legitimate websites. Large-scale DNS hijacking attacks against routers, known as router pharming, have become common over the past two years.
In the past seven months, major security flaws have been found in home wireless routers made by ASUS, Huawei, Netcore, Netis, TP-Link and UTStarcom, as well as the aforementioned D-Link and ZTE. The problems often stem from the fact that routers commonly run third-party firmware, some of it more than a decade old.
Firmware patches are haphazardly distributed to customers, who can sometimes only learn of updates by checking manufacturer websites. Moreover, many customers never change administrative credentials, which can be sometimes accessed from the Internet and many combination modem-routers handed out by ISPs can't be administered by the end user at all.
According to a search on WikiDevi, an online database of computer hardware, Shenzhen Gongjin Electronics is listed as manufacturer for networking devices from a large number of vendors, including D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear. It's not clear how many of the listed devices also run firmware developed by the company that might contain the vulnerabilities identified by Lovett.
It's also unclear if Shenzhen Gongjin Electronics is aware of the flaws or if it has already distributed patched versions of the firmware to its partners.
The company did not respond to a request for comment and according to Lovett, his attempts to notify the company went unanswered as well.
The researcher also notified the affected device vendors that he managed to identify, as well as the United States Computer Emergency Readiness Team.
The solution may be to spend more for your home router, and to make sure your modem, whether it's for DSL or cable, and your router are separate devices.
