Internet service providers distribute 700,000 routers vulnerable to remote hacking

More than 700,000 ADSL routers distributed around the world, including in the US, have a directory traversal flaw in their webproc.cgi firmware modules, which can be used by remote attackers to extract data, including admin credentials and configuration settings, from the router’s config.xml file.

Attackers could use this information to change a router’s DNS settings, redirecting visitors from legitimate websites to malicious clones, where they can intercept data in man-in-the-middle (MITM) attacks, spread malware, or just use it as a platform to spread their views. DNS hijacking is a favorite approach of Lizard Squad, for example.

Security researcher Kyle Lovett, who investigated the issue, disclosed his findings at CRESTCon, a security conference in the UK, Wednesday. He found that hundreds of thousands of routers were affected, the majority of which used firmware from Chinese company Shenzhen Gongjin Electronics, which also trades under the name T&W.

The vulnerability isn’t new – it’s been reported in various forms since 2010, affecting routers made by Belkin, Netgear, and Fiberhome, among others. What is new is the scale of the problem, and the fact that routers are still being made and sold with the same old flaw.

Affected routers are: ZTE H108N, ZTE H108NV2.1, D-Link 2750E, D-Link 2730U, D-Link 2730E, Sitecom WLM-3600, Sitecom WLR-6100, Sitecom WLR-4100, FiberHome HG110, Planet ADN-4101, Digisol DG-BG4011N, and Observa Telecom BHS_RTA_R1A. Other affected routers have not been identified, but it’s likely that this list is not exhaustive. Lovett has notified the vendors, as well as US-CERT.