How to find vulnerabilities in routers and what to do with it

Often, the manufacturers of routers do not particularly care about the quality of their code. As a result, the vulnerabilities are not uncommon. Today, the routers are a priority target of network attacks that allows to steal money and data while bypassing local protection systems. How can you personally check the quality of firmware and adequacy of settings? You can do this by using free utilities, online test services and this article.

Consumer-grade routers have been always criticized for their unreliability, but the high price does not yet guarantee high security. Last December, the experts from Check Point found more than 12 million routers (including some top models) and DSL modems that can be hacked due to vulnerabilities in their mechanism of automatic settings. It is widely used for fast configuration of network equipment on the client side (CPE, Customer Premises Equipment). In the last ten years, ISPs do this by using CWMP (CPE WAN Management Protocol), a subscriber’s equipment management protocol. TR-069 specification allows to use it for sending settings and connecting services through auto configuration server (ACS, Auto Configuration Server). The employees of Check Point found that many routers make an error when handling CWMP requests, and ISPs make this situation even more complicated: most of them do not encrypt the connection between ACS and customer equipment and do not restrict access by IP or MAC addresses. This all creates conditions for an easy ‘man-in-the-middle’ attack.

By using the vulnerable CWMP implementation, an attacker could do practically anything, such as setting and reading the configuration parameters, resetting parameters to their default values, and remotely rebooting the device. The most common type of attack is to substitute DNS addresses in the router settings for addresses of servers controlled by the attacker. They filter the web requests and redirect those addressed to banking services to fake pages. The fake pages have been created for all popular payment systems, such as PayPal, Visa, MasterCard, QIWI and other.

A particular aspect of this attack is that the browser is running on a clean OS and sends a request to a correctly entered address of real payment system. Checks of network settings on the computer and a virus scan do not reveal any problems. Moreover, the effect is the same, if you connect to a payment system through a hacked router from another browser and even from another device on your home network.

Since most people rarely check the settings of their router (or even entrust this process to technicians from ISP), the problem stays undetected for a long time. It is usually discovered by process of elimination after the money was stolen from the accounts and computer check revealed nothing.

To connect to the router via CWMP, the attacker uses one of the most common vulnerabilities specific to entry-level network devices. For example, this devices host RomPager, a third-party web server written by Allegro Software. Many years ago, it was found to have a cookies handling bug, which was quickly fixed, but the problem exists even today. Since this web server is part of a firmware, it cannot be updated at once on all devices. Every manufacturer had to issue a new release for hundreds of models that are already on sale and convince their owners to download the update as quickly as possible. In practice, none of the home users did it. As a result, vulnerable devices number in the millions even ten years after the release of patches. Moreover, even today, in their firmware, the manufacturers continue to use the vulnerable version of RomPager.

In addition to routers, this vulnerability affects VoIP phones, network cameras and other equipment that allows remote configuration via CWMP. Typically, this is done by using port 7547. You can check its status on the router with Shields Up, a free service from Steve Gibson. To do this, enter its URL (grc.com), and then add /x/portprobe=7547.

Router ignored a request to port 7547

Router ignored a request to port 7547

On the screenshot, only positive result can be indicative that there is a vulnerability. Negative result does not guarantee that vulnerability is not there. To eliminate the possibility, you need to conduct a full penetration test, for example, by using Nexpose scanner or Metasploit framework (bit.ly/1vlHHHw). Often, the developers are not able to say what version of RomPager is used in a particular release of their firmware or whether it is included there at all. This component is definitely not available only in alternative open source firmware (we will discuss it later).


Specifying Secure DNS

It is a good idea to often check the router settings and immediately specify the alternative DNS server addresses. Here are some of them that are freely > available.

Comodo Secure DNS: 8.26.56.26 and 8.20.247.20
Norton ConnectSafe: 199.85.126.10, 199.85.127.10
Google Public DNS: 8.8.8.8, 2001:4860:4860:8888 — for IPv6
OpenDNS: 208.67.222.222, 208.67.220.220

All of them block only infected and phishing sites, without restricting access to resources intended “for adults”.

Unplug and Pray

There are other problems known for a long time, which the owners of network devices or (less often) their manufacturers are unwilling to fix. Two years ago, the experts from DefenseCode found a set of vulnerabilities in routers and other active network equipment of nine major companies. All of them are associated with incorrect software-based implementation of some key program components. In particular, this affects UPnP stack in firmware for Broadcom chips or those that use the older versions of ‘libupnp’, an open source library.

Together with the experts from Rapid7 and CERT, the employees of DefenseCode found about seven thousand vulnerable models of devices. In the six months of active scanning in the random range of IPv4 addresses, they identified over 80 million hosts that responded to a standard UPnP request on WAN port. One in five of them supported SOAP (Simple Object Access Protocol) service, while 23 million allowed to execute any code without authorization.

In most cases, the attack against the routers with such hole in UPnP can be launched through a modified SOAP request, which leads to error in data processing and allows the remaining part of the code to get into randomly selected area of router memory, where it runs with root privileges. On home routers, it is better to completely disable UPnP and make sure that the requests to port 1900 are blocked. The service from Steve Gibson, that I already mentioned, can help you to do this.

The router didn't respond to a UPnP SSDP request and this is good!

The router didn’t respond to a UPnP SSDP request and this is good!

By default, UPnP (Universal Plug and Play) protocol is enabled on most routers, network printers, IP cameras, NAS and home appliances that are probably “too smart”. It is enabled by default in Windows, OS X, and many versions of Linux. If you can fine-tune its use, it’s not so bad. If the only available options are just ‘enable’ or ‘disable’, it is better to choose the latter.

Sometimes, the manufacturers deliberately implement backdoors in their network equipment. Most likely, this is happening at the behest of security services. But, in case of any scandal, the official response always refers to “technical need” or “corporate service to improve communication quality”. Built-in backdoors have been found in some routers from Linksys and Netgear. They opened port 32764 to receive remote commands. Since this number does not correspond to any commonly known service, the issue can be easily detected, for example, by using an external port scanner.

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of Hackmag.com.
Read more about the project


Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.