Rooting Xiaomi WiFi Routers

by

Author: Julien R. (SoEasY) and Marin Duroyon
Published: September 25, 2023
Source: https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/

Summary

Researchers at Thalium documented a chain of remote code execution
vulnerabilities affecting Xiaomi Wi-Fi routers built on a shared, OpenWrt-derived
codebase, with the MI AIoT Router AC2350 as their primary target. The work
spans three attack surfaces — LAN post-authentication, LAN pre-authentication,
and WAN — and results in root-level code execution on the device. Four new CVEs
were assigned (CVE-2023-26317, -26318, -26319, -26320), and two previously
reported issues (CVE-2020-14100 and CVE-2020-14124) were rediscovered, with the
researchers reporting that some bugs persisted in firmware despite earlier
fixes. The article is a defensive security-research writeup; Xiaomi runs a
HackerOne bug-bounty program and issued advisories for the new findings.

Technical Details

The vulnerabilities stem from classic memory-safety and input-handling
failures in the router’s web/management stack. Several command-injection issues
arise from passing user-controlled parameters into shell command strings and
system() calls without sufficient sanitization, where escaping
attempts proved incomplete. Stack buffer overflows result from unsafe use of
functions such as sprintf and strcpy without bounds
checking. The researchers also describe an uninitialized pointer dereference in
cryptographic handling (referencing libmbedtls pk_free behavior).
The findings map across surfaces as follows, per the article:

  • CVE-2023-26317 — WAN command injection.
  • CVE-2023-26320 — WAN stack buffer overflow.
  • CVE-2023-26318 — LAN post-auth stack buffer overflow.
  • CVE-2023-26319 — LAN post-auth command injection.
  • CVE-2020-14100 — LAN post-auth command injection (rediscovered).
  • CVE-2020-14124 — LAN pre-auth stack buffer overflow (rediscovered).

The LAN post-auth issues require admin credentials against the web interface;
the LAN pre-auth path is reachable by any Wi-Fi-connected device against
unauthenticated endpoints. The WAN path is described as relying on intercepting
and modifying the router’s unencrypted HTTP traffic via a man-in-the-middle
position rather than direct internet exposure. The article does not present these
as a turnkey remote-internet exploit, and specific low-level exploitation details
beyond the categories above should be read from the original writeup.

Impact

Successful exploitation yields root code execution on the affected router,
i.e., full device compromise: traffic interception, manipulation of network
access, persistence, and a foothold on the local network. Affected devices are
Xiaomi router models sharing the common codebase, with the MI AIoT Router
AC2350 explicitly tested (Global firmware 3.0.36, China firmware 1.3.8). The
researchers report that not all issues were reliably fixed across the firmware
versions they examined, so the precise set of still-vulnerable builds depends on
the deployed firmware.

Mitigation

Xiaomi assigned CVEs and published advisories for the new findings and
indicated fixes in firmware updates around August 2023; however, the researchers
noted some vulnerabilities persisted in tested versions, so applying the latest
available firmware is necessary but may not be sufficient on its own. Defensive
recommendations: update to the newest vendor firmware; never expose the router’s
management interface to the WAN/internet; segment and restrict trusted Wi-Fi
access given the pre-auth LAN surface; and, where feasible, consider
OpenWrt-based firmware on supported hardware. Owners should verify their specific
model and firmware against Xiaomi’s advisories rather than assuming a patch
covers every issue.

References

Leave a Comment