Tenda RX2 Pro Improper Access Control Vulnerability Allowing Unauthenticated Telnet Access

A vulnerability in the Tenda RX2 Pro router's web management portal, specifically in version 16.03.30.14, allows an unauthenticated remote attacker to enable telnet access to the router's operating system. This is achieved by sending a web request to the '/goform/telnet' endpoint, which is accessible without authentication. Once telnet is enabled, the attacker can log in as root using a password that is easily calculated from the device's MAC address.

Impact

Exploitation of this vulnerability provides unauthenticated remote access to the router's operating system via telnet, with root privileges.

Reproduction

To reproduce this vulnerability, send a web request to the '/goform/telnet' endpoint on the Tenda RX2 Pro router running firmware version 16.03.30.14. This endpoint is not documented or available through the user interface, but can be accessed without authentication. Once telnet is enabled, the root password can be calculated based on the last two digits of the MAC address, allowing access to the device's command line interface.