'Directory Traversal' Flaw Exposes Over 700,000 Routers To Remote Hacking

Status
Not open for further replies.

d_kuhn

Distinguished
Mar 26, 2002
704
0
18,990
2
My in-laws use an ISP provided router - I didn't care for the idea but they're totally non-tech saavy and I'm too far away to give them any support. Personally I use an old Linksys wrt54gs running Tomato for the internet connection (PPPoE to FTTH) that's had wireless disabled and it's only connection is to a Sophos UTM9 VM that's actually providing security. This makes me want to ditch the wrt54gs entirely even though Tomato is by all reports very robust.
 

funguseater

Distinguished
Sep 20, 2009
587
0
19,060
49
"It's not clear whether Shenzhen Gongjin Electronics even knows about this vulnerability in its firmware at this point in time"

Or if they put it there themselves.
 

f-14

Distinguished
Apr 2, 2010
2,344
0
19,960
50
sounds like something great leader put there on purpose, remember the great firewall, chinese NSA have their own forced back doors on the internet industry.
 

hajila

Distinguished
May 20, 2009
62
0
18,630
0
Very true f-14, and the most insidious are not in the software. Chinese fabs have implanted malicious circuitry that allows for hardware backdoors into many systems. Hopefully they never have cause to use such vulnerabilities.
 

fixxxer113

Distinguished
Aug 26, 2011
296
0
18,810
22
I can't believe this kind of vulnerability still exists by accident. I remember doing this on a DSL router from the ISP Vivodi about 7-8 years ago and even then I was surprised this could be done.

You would point your browser to the IP address of the router and that would open the router's homepage. Of course there you were required to login and most users would have set up passwords. If you deleted the last part of the homepage URL (which was the filename of the actual html file loaded), you would end up in the parent directory. There, you would see other pages from the interface but most would show error 401. Most, except the page that contains the "upgrade firmware" and "backup/restore settings" command buttons. You pressed the backup button and voila! You had an .xml file with all the settings of the router. In those days, some routers would even show passwords in plaintext in the .xml file. You would see everything from admin passwords, ISP passwords, port forward settings, services used etc.

Even then that struck me as weird because I remembered that flaw from the Netscape browser back in 1999 when we used to do that in many many sites and have fun discovering all sorts of folders and files behind them. I simply cannot believe it is still here in 2015. It's either criminal negligence, or just plain criminal ;)
 

Foo Bar

Reputable
Mar 23, 2015
1
0
4,510
0
My in-laws use an ISP provided router - I didn't care for the idea but they're totally non-tech saavy and I'm too far away to give them any support. Personally I use an old Linksys wrt54gs running Tomato for the internet connection (PPPoE to FTTH) that's had wireless disabled and it's only connection is to a Sophos UTM9 VM that's actually providing security. This makes me want to ditch the wrt54gs entirely even though Tomato is by all reports very robust.
Cool story, bro.
 

Avus

Distinguished
Nov 2, 2001
355
0
18,780
0
Honestly, CIA and NSA love these kind of routers.... specially most of these routers used in countries that USA like to "watch"...
 

pixelpusher220

Distinguished
Jun 4, 2008
21
0
18,510
0
sounds like something great leader put there on purpose, remember the great firewall, chinese NSA have their own forced back doors on the internet industry.
Damn the Chinese..always one step ahead of us! Though the US is trying hard to do the same thing...
 

d_kuhn

Distinguished
Mar 26, 2002
704
0
18,990
2


Way to add nothing bro...
 
G

Guest

Guest
well windows 7 is my last of microsoft and i am already running linux which kicks ass. for me it does all that i need and doesn't cost anything but a little bit of my time and runs excellent on all my desktops that i already own. i am not bashing microsoft but the aren't the only operating system around.linux is good in my opinion and it works for me.

the poorguy
 
G

Guest

Guest
well windows 7 is my last of microsoft and i am already running linux which kicks ass. for me it does all that i need and doesn't cost anything but a little bit of my time and runs excellent on all my desktops that i already own. i am not bashing microsoft but the aren't the only operating system around.linux is good in my opinion and it works for me.

the poorguy
 
Status
Not open for further replies.

ASK THE COMMUNITY

TRENDING THREADS