Experts found a flaw in Humax WiFi Router model HG-100R that could be triggered to fully compromise the devices.

A zero-day vulnerability in Humax WiFi Router model HG-100R could be exploited by attackers to compromise the WiFi credentials and obtain the router console administrative password. Trustwave SpiderLabs researchers discovered.

The issue was found by researchers at Trustwave SpiderLabs in May 2017, the company tried to report it to the manufacturer that did reply. the researchers say. The Humax WiFi Router model HG-100R is a default brand/version distributed by a major Internet provider in Brazil, it is also used in many other countries worldwide.

“More recently, in May 2017, Felipe Cerqueira and Thiago Musa, both from Trustwave SpiderLabs, have found a remote vulnerability in the HUMAX WiFi Router model HG-100R*. This vulnerability can allow attackers to compromise the WiFi Credentials and, even more dangerous, to retrieve the router console administrative password.” states the blog post published by Trustwave SpiderLabs.”The equipment is a default brand/version distributed by a major Internet provider in Brazil (where the vulnerability was discovered) but is also used in many other parts of the world.”

The issue is simple to exploit, the attackers just need to send specially crafted requests to the management console to bypass authentication. The experts discovered the router fails to validate the session token while returning answers for some methods in “url/api”.

The exploitation of the flaw could allow an attacker to retrieve sensitive information, such as the private/public IP addresses, SSID names, and passwords.

“The cookie login is basically json data containing uid and pwd encoded in base64: login={“uid”:”admin”,”pwd”:”4cd08a961f5c”};,” states the post. “In the example below you can see a request to the router without providing any authentication as well as the response containing sensitive data such as SSID name, IP addresses and WiFi password.”

A second vulnerability that affects the Humax WiFi Router model HG-100R allows attackers to bypass authentication to access the backup functionality. The feature allows router administrators to save and restore configuration, unfortunately, in both cases, the code fails to check cookies “login” and “login_token.” This implies that attacker can send requests to download and upload the full router configuration.

An attacker can change for example the DNS setting in order to hijack the user’s traffic.

“By using the backup generation/restore functionality provided by the URLs “/view/basic/GatewaySettings.bin” and “/view/basic/ConfigUpload.html” we were able to retrieve, change and finally restore a specially crafted configuration. As an example of the danger of this type of vulnerability, an attacker could use it to change your DNS configuration and redirect your traffic to servers controlled by them in order to steal private information such as passwords or banking account information.” continues the analysis.

The experts also discovered that the GatewaySettings.bin file stores the administrative password in clear text. From byte 96, the file is encoded in base64, decoding it is possible to view the password for “admin” (AAAAAAAA) and “root” (humax) users.

“If your router allows remote configuration management via the Internet, attackers can easily gain access to it and change configurations that will impact your Internet traffic. However, even if configuration management is not available on the Internet facing interface, attackers can still exploit the vulnerability in locations where WiFi routers are public, for instance in a café or airport,” continues the blog post.

To protect your router, disable the option “Remote Configuration Management.”

“Access your HUMAX WiFi Router via the following URL: http://192.168.0.1 and you should be able to find the credentials on the bottom of the router itself. By default, this configuration is not enabled, but you should double check it to make sure. If you don’t have access to your router, try to contact your Internet Service Provider and ask for support or, perhaps, a new router,” Trustwave concludes.

Pierluigi Paganini

(Security Affairs – Humax WiFi Router model HG-100R, hacking)

Share this...

Linkedin Reddit Pinterest

Share On