Tenda AC6 Authentication Bypass Vulnerability Leading to Arbitrary Code Execution

A vulnerability allowing authentication bypass has been identified in the Tenda AC6 router, specifically in version 5.0 V02.03.01.110. This vulnerability arises in the HTTP authentication process, where a specially crafted HTTP request can bypass authentication checks and lead to arbitrary code execution. The issue can be exploited by sending packets that manipulate the HTTP request headers, particularly by omitting or altering the 'Host' header, which can trick the router into bypassing authentication and granting unauthorized access to administrative functions.

Impact

Exploitation of this vulnerability allows for unauthenticated administrative access, enabling an attacker to execute arbitrary code on the device.

Reproduction

To reproduce this vulnerability, send an HTTP request to the router's web interface on port 80. Include an empty 'Host' header to overwrite the default value with NULL. This manipulation will bypass the authentication checks, as the router's authentication function will not detect a valid host. Once authenticated, access the '/goform' endpoint, which can trigger the execution of arbitrary code on the device.