Tenda CP3 Pro Hardcoded Root Password Vulnerability

A vulnerability exists in Tenda CP3 Pro IP Camera firmware version 22.5.4.93, where hardcoded root password hashes are stored in world-readable files `/etc/passwd` and `/etc/passwd-`. The absence of a shadow file allows offline attackers to access these hashes, potentially leading to unauthorized administrative access.

Impact

Exploitation of this vulnerability could result in privilege escalation by cracking the root password hash and gaining unauthorized administrative access, potentially allowing a full takeover of the device.

Reproduction

The vulnerability can be reproduced by downloading the firmware version 22.5.4.93 from the Tenda website or extracting it from a Tenda CP3 Pro device. After obtaining the firmware, it can be analyzed offline to retrieve the hardcoded root password hashes from the `/etc/passwd` and `/etc/passwd-` files. Once the hashes are extracted, they can be cracked to obtain the plaintext password, which could then be used to gain administrative access to the device.

Remediation

Users are advised to change default passwords immediately and disable unused remote services such as Telnet or SSH. Tenda should avoid embedding unsalted password hashes in production firmware.