Tenda W308R V2 Cookie Session Weakness Remote DNS Change Vulnerability

A cookie session weakness vulnerability has been identified in the Tenda W308R V2 wireless router, specifically in version 5.07.48. This vulnerability allows unauthenticated attackers to modify DNS settings by exploiting inadequate session validation. Attackers can send GET requests to the 'goform/AdvSetDns' endpoint, using a crafted 'admin:language' cookie to change DNS servers. This manipulation can redirect user traffic to malicious sites.

Impact

Exploitation of this vulnerability allows for unauthorized modification of DNS settings, causing affected systems to use foreign DNS servers typically controlled by cybercriminals. This can lead to redirection to malicious websites, replacement of ads on legitimate sites, interference with important OS and software updates, and increased susceptibility to malware infections.

Reproduction

To reproduce this vulnerability, send a GET request to the 'goform/AdvSetDns' endpoint. Include a crafted 'admin:language' cookie in the request header. The request should specify the desired DNS servers to be set. Once the DNS settings are changed, the system will use the specified foreign DNS servers, potentially redirecting traffic to malicious sites.