Thousands of Zhone SOHO routers can be easily hijacked
Two days before he is scheduled to give a talk about discovering and exploiting 0-day vulnerabilities in SOHO routers’ firmware, security researcher Lyon Yang has released details about a number of vulnerabilities in routers made by California-based Zhone Technologies, the exploitation of some of which can result in the routers being hijacked.
Yang, who is a senior security consultant at Vantage Point Security and has gained a reputation as the go-to guy for router hacking in Singapore, says that Zhone routers are installed for users of a major Singaporean ISP, which he won’t name. But a quick search with Shodan revealed that they are also used around the world.
All the vulnerabilities he found, including the most critical ones that can easily lead to remote code execution, have been patched by Zhone last week with the release of version S3.1.241 of the firmware.
But there’s another problem: Yang shared with The Register that the unnamed ISP does not give users the router credentials for accessing the administration panel, so they can’t perform the firmware update.
It’s interesting to note that one of the flaws (CVE-2014-8357) he found concerns the unsuitable storage of router credentials – in a backup file accessible both to the legitimate users and malicious attackers.
Yang is currently working on a testing framework for ARM and MIPS based routers as well as shell code generation and post-exploitation techniques.