Tenda RX2 Pro Lack of Authentication in ate Management Binary Vulnerability

A vulnerability exists in the Tenda RX2 Pro router running version 16.03.30.14, due to inadequate access controls in the 'ate' management binary. This flaw allows an unauthenticated remote attacker to make unauthorized configuration changes on any router where 'ate' is enabled, by sending a specially crafted UDP packet. The 'ate' service, once activated, listens for commands on port 7329/udp without requiring authentication, enabling attackers to manipulate router settings or execute commands that could lead to further exploitation.

Impact

Exploitation of this vulnerability could result in unauthorized configuration changes on the affected router, potentially leading to unauthorized access or control over the device.

Reproduction

The vulnerability can be reproduced by first enabling the 'ate' service on the Tenda RX2 Pro router through an unauthenticated HTTP request to the '/goform/ate' endpoint. Once 'ate' is active, send a crafted UDP packet to port 7329/udp on the router. The packet can be designed to exploit the lack of authentication and command injection vulnerabilities in the 'ate' service, allowing for unauthorized configuration changes or execution of commands on the router.