Italy Wireless Mini Router WIRELESS-N 300M Default Credentials Allow Telnet Debug Access and Hardware Manipulation

A vulnerability exists in the Italy Wireless Mini Router WIRELESS-N 300M, specifically in firmware version v28K.MiniRouter.20190211, due to default credentials that allow unauthorized access to a debug shell via Telnet on port 23. Once authenticated, attackers can execute low-level commands that manipulate the device's flash memory and hardware registers, potentially leading to arbitrary firmware corruption, bricking the device, and disrupting its functionality or security settings.

Impact

Exploitation of this vulnerability provides unauthorized access to the device's debug shell, where low-level commands can be executed. This access could be used to read from or write to the device's flash memory, manipulate hardware registers, corrupt the device's firmware, brick the device, and disrupt its security configuration.

Reproduction

The vulnerability can be reproduced by scanning the device for open Telnet ports, connecting to the Telnet service using the default admin credentials, and then accessing the debug prompt. From there, the 'spi' command can be used to read flash memory, confirming low-level access. Observations indicate that changing the admin password via the web interface also alters the Telnet credentials, suggesting they are shared. Notably, Telnet is enabled by default after the initial setup.