Experts from Trustwave SpiderLabs found a vulnerability in Humax HG-100R routers, which allows obtaining credentials for authorization in the Wi-Fi network and the administrator password of the device.

The vulnerability is very simple to exploit. In order to bypass the authentication mechanism, an attacker only needs to send specially configured requests to the management console. The problem is related to the lack of checking the session token when sending a response for some methods to url / api. By exploiting the vulnerability, an attacker can obtain information such as private / public IP address, network name (SSID), and passwords.

The second vulnerability in the Humax HG-100R allows you to bypass the authentication mechanism and access the backup function. This function is used to save and reset the configuration settings. Since the firmware does not verify the authenticity of the cookies login and login_token, the attacker is able to download and unload all configuration settings of the router.

For example, an attacker could change the DNS settings to intercept user traffic.

The researchers also found that the administrator password is stored in the GatewaySettings file. Bin in plaintext. If the router provides a remote configuration change, an attacker can easily access the control panel and change the settings at will. Even if this option is not provided, the attacker can still exploit the vulnerability in places with public Wi-Fi networks (for example, in cafes or airports).