Tenda RX2 Pro Telnet Password Vulnerability

A vulnerability in the Tenda RX2 Pro router, specifically in version 16.03.30.14, allows an unauthenticated attacker to gain access to the telnet service by calculating the root password from easily accessible device information. The password generation relies on the last two digits of the MAC address. This flaw arises from the use of weak credentials, enabling unauthorized authentication to the device's operating system via telnet.

Impact

Exploitation of this vulnerability provides unauthorized root access to the device through the telnet service.

Reproduction

The vulnerability can be reproduced by sending a request to the router's web management portal to enable telnet access. This can be done without authentication, using the '/goform/telnet' endpoint, which is not documented or available to users. Once telnet is enabled, the root password can be calculated based on the last two digits of the MAC address, allowing access to the device's operating system as the root user.