That original research only looked at one Wavlink router. This is the extended research with the help of two other researchers. And of course the attempted exploit from a malicious IP address which was detected only recently
Hey, author of the article that's now linked at the top of this page, nice to meet you. You wrote a fine article. You should be proud of it. I was wrong about which article should have replaced the blogspam link that originally graced HN, and your sibling comment to this one ("Hi there, ...") did a great job of explaining why with patience and politeness. The mods clearly agreed and made the right call.
This comment I'm replying to, though... you don't need to do this. If it had been the only reply you posted, I would have come away from our exchange with a very different opinion of you, and that would've been a bit unfair. Just something to think about for the future.
It looks like the issue is the admin password gets exposed to everyone on the local network and there's an interface for running commands on the router as root from the local network?
There's no mention if this is vulnerable to XSS which is the more interesting issue.
Not to knock the researcher's work too much, but what he did was what people installing OpenWRT on devices have been doing for 15 years, and what he found is pretty typical. Except for the password in JS. That was just weird.
You don't need XSS, that's not interesting at all. You can get the admin password from an insecure page, and then there's also a page to run commands as root.
He doesn't demonstrate an attack over the internet in this article, but this makes me think he did investigate it from a remote attacker perspective vs. local network:
>So what does that get us from the perspective of a remote attacker? We have the ability to get the current admin credentials, and we can get a shell if the telnet binary is started. However, most remote attackers wont be able to solder on any wires, so I wasn’t going to stop there.
>Going through the rest of the pages in the www directory, there is another web page that provides this interface:
So you don't need telnet, but the creds being on the page + knowledge of the system command page would be enough to do whatever you wanted.
Also see this follow-up research page on the same devices:
> Right, but you have to be on the local network to do that
But who is "you" here? Are you assuming the attacker needs to be physically present on your network? can any malicious script running on browser's victim make an xhr request to "192.168.0.1/page-which-exposes-password"?
> a remote attacker can achieve RCE via a POST request to adm.cgi. There are several conditions required, including proper parameters and an active session. However, these conditions can all be met without any initial authentication required thanks to several specific exposed “live_(string).shtml” endpoints – so an attacker with the right background information about the device could achieve RCE fairly easily.
I played with OpenWRT a lot when the WRT54G was new-ish. Apparently the WRT54G-L is still being being sold new from Amazon, but considering I have a 14-year-old one running DD-WRT, still going strong, I'm not surprised.
Anyway, back then, a lot of these devices had really bad security. Some where so bad that you could do an XSS attack that gains root access to someone's router. Someone could definitely have intentionally added a backdoor, but I agree that it's pretty likely that developers working on a router with the goal of being cheap were lazy, rushed, or just didn't care, and left development backdoor open, allowed admin access on LAN and WAN, or something else.
There is more info in this article[1]. They say that this is separate from the admin page. It is basically a root shell on a web page exposed to the network.
I'd appreciate if the same kindness was shown to the Chinese router manufacturers. Sadly, when the manufacturer is Chinese, default credentials are suddenly a "secure CCP backdoor"
"The Jetstream and Wavlink routers showcase a simple GUI (or user-friendly interface) for its backdoors that is different from the interface presented to router admins."
The article seems to imply this is a malicious tool, but it seems more likely to me that this is just another poorly designed router instead.