Skip to content

Instantly share code, notes, and snippets.

@AsherDLL
Last active December 14, 2022 01:58
Show Gist options
  • Save AsherDLL/03d0762b5a535e300f1121caebe333ce to your computer and use it in GitHub Desktop.
Save AsherDLL/03d0762b5a535e300f1121caebe333ce to your computer and use it in GitHub Desktop.
Vulnerabilities found on Arcadyan Routers - Asher Davila L.

Vulnerabilities found on Arcadyan Routers

The two vulnerabilities were found by Asher Davila L. in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two found vulnerabilities:

In combination, these vulnerabilities pose a significant risk: Malicious users on the network can sniff wireless modem user credentials. They can then use the sniffed credentials to access the web interface and inject persistent malicious scripts into it. It is recommended that users contact their ISPs to request a router that implements the usage of secure protocols such as HTTPS instead of HTTP.

According to Shodan, there are at least 19,887 Arcadyan devices exposed to the internet in countries such as Japan, China, United States, Germany, United Kingdom.

Shodan search
Figure 1. Shodan Search
facet analysis
Figure 2. Countries where Arcadyan routers are present according to Shodan

Additionally, some of the largest ISPs (Internet Service Providers) in Latin America and Europe provide this device to their customers as their default modem. e.g, this router is distributed by Telmex, the largest ISP of Mexico.

Disclosure Timeline

  • November 11, 2019 - contacted the US CERT to report the vulnerability.
  • February 25, 2020 - contacted a partner that is a vendor of the product. The vendor provided a contact to report the vulnerability.
  • February 25, 2020 - communicated the vulnerabilities to the manufacturer.

Conclusion

In summary, the Arcadyan wireless modem has two vulnerabilities that can be used together to compromise the device and inject malicious code. The first is the use of an insecure protocol—HTTP instead of HTTPS—which allows attackers to capture credentials. The second vulnerability is the lack of input validation, which allows attackers to inject malicious code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment