Aside from computers and applications, the general hardware we use for connecting to the world is a victim of hacking. Today, experts have found a firmware vulnerability in the popular router maker, TP-link, that if exploited, can give root access to the hacker and replace users as admin at last.
After all, no one would think the routers could be targeted too. They’re the main source of connecting one to the world but are given no significance. And here hackers see the chance of sneaking into the network by voiding the admin passwords remotely.
How They Do It?
Accessing a network needs an admin password. Which is the exact string of preset characters? But, attackers can send a simple HTTP request with a character string longer than the allowed number of bytes. This results in voiding the user’s actual password and replacing it with an empty value!
Here, the hacker tricks the validation process by sending a hardcoded tplinkwifi.net value to the HTTP service and making it identify it as a valid request. The catch here is the process checking up only the referrer’s HTTP headers, this lets anyone trick with such string-ly inputs.
Recognized with the code CVE-2019-7405, this vulnerability is found on zero-day by Grzegorz Wypych from IBM X-Force Red, threat intelligence team. The routers that are set to have this vulnerability are models Archer C5 V4, Archer MR200v4, Archer MR6400v4 and Archer MR400v3.
As usual, if anyone unauthorized is let in, theft, full-control of systems, etc can happen, even in the real world. Same here too. As all the processes are authorized by the user, and attackers gaining access into such root levels can let him take the charge over the owner.
Further, the legitimate user can be restricted from accessing his own hardware! Hackers can disable users logging in from UI and decline to accept any new passwords or modifying them. Thus, the original user loses control over the device and is not even allowed to reset or reform a password! RSA could be a way in such situations, but it doesn’t work with empty passwords, thus useless.
Considering this as a critical flaw, Wypych further warns the “Risk is greater on business networks where routers such as this can be used to enable guest Wi-Fi. If placed on the enterprise network, a compromised router can become a point of entry to an attacker, and a place to pivot from in recon and lateral movement tactics.”