Disclaimer: Breaking into unauthorized systems and devices are completely illegal. The information provided here is solely for the purpose of sharing knowledge and all I present is my research materials so that the public can remain safe and benefit from my research.
|Main Login page for Totolink Router|
If you have been into a bit of networking and stuff, you probably would know about what a three-way handshake is. Generally, Transmission Control Protocol (TCP) uses the three-way handshake to set up a TCP/IP connection over an Internet Protocol(IP) based network prior to its communication or say exchanging data. I won’t be telling you an in-depth story of three handshakes and how that works for now. Let’s get back into the story again…
Now, while the flooding is still taking place go back to your browser, clear your cache (required most of the times), enter the router IP followed by the page you want. Example: ip/reboot.htm or ip/menu.htm and so on. It could take some hit and trial as per the router’s capability of resisting the attack but as time passes it would finally give us the page we want to be.
Conclusion: eCos Embedded Web Servers used by Multiple Routers, while sending SYN flood or FIN flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass.
|Shodan Search Result|
What could go wrong?
An attacker can take complete advantage of this bug and take over the device remotely or locally.
At the time of writing, there were 11,887 ‘eCos Embedded Web Servers’ as reported by SHODAN but the numbers of internet users using totolink, greatek and other routers not shown by the shodan are likely higher in numbers than as shown in the result. Totolink and Greatek routers were tested and were found vulnerable.
Possibly changing the DNS or changing the IP route or changing passwords or updating rogue firmware or maybe more zombie devices teaming up with the mirai bot army could be the outcome of such vulnerability.
As always, updating the device to the latest firmware version is highly recommended in case of availability. If you find more information related to this bug then feel free to share or exchange ideas.