Tenda AC6 V5.0 Firmware Signature Validation Vulnerability Allowing Arbitrary Code Execution

A vulnerability has been identified in the firmware signature validation process of the Tenda AC6 V5.0 router, specifically in version V02.03.01.110. This vulnerability allows for arbitrary code execution by exploiting the firmware update mechanism. An attacker can upload a specially crafted malicious file that bypasses integrity checks, leading to unauthorized code execution on the device.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device, with the executed code persisting across reboots.

Reproduction

To reproduce this vulnerability, log into the Tenda AC6 V5.0 router's web portal. Navigate to the 'Administration' tab, where firmware updates can be uploaded either from a local file or via an online upgrade. Prepare a firmware file that includes the correct magic bytes, file size, and a crafted CRC that matches the device's CRC generation process. Once the file is uploaded, the router will execute the arbitrary code embedded in the firmware.