Tenda RX2 Pro Improper Access Control Vulnerability Allowing Unauthenticated Activation of Remote Management Feature

A vulnerability in the Tenda RX2 Pro router, specifically in the web management portal version 16.03.30.14, allows an unauthenticated remote attacker to enable 'ate', a remote system management binary. This is achieved by sending a web request to the '/goform/ate' endpoint, which is not documented or accessible through the user interface. The 'ate' service, once activated, listens on port 7329/udp and can be exploited to execute commands on the device.

Impact

Enabling the 'ate' service without authentication could lead to unauthorized access and control over the router's management functions, potentially allowing for further exploitation, such as gaining root access to the device.

Reproduction

The vulnerability can be reproduced by sending a web request to the '/goform/ate' endpoint on a Tenda RX2 Pro router running firmware version 16.03.30.14. This can be done using a tool like curl, without the need for authentication or any additional credentials.