Grant found the issue, which has been present for at least 12 years, in Buffalo routers, specifically the Arcadyan-based web interface software.

Bug hunting
In a blog post, the researcher explained that one of the first things he looks at while analyzing any web application or interface is how it handles authentication.

Grant found that the feature bypass_check() was only checking as many bytes as are in bypass_list strings.

Grant wrote: “This means that if a user is trying to reach http://router/images/someimage.png, the comparison will match since /images/ is in the bypass list, and the URL we are trying to reach begins with /images/.

“The bypass_check() function doesn’t care about strings which come after, such as ‘someimage.png’.

“So what if we try to reach /images/../<somepagehere>? For example, let’s try /images/..%2finfo.html. The /info.html URL normally contains all of the nice LAN/WAN info when we first login to the device, but returns any unauthenticated users to the login screen.”