TOTOLINK Wi-Fi 6 Router Series Insecure Default Password Vulnerability in X2000R-Gh-V2.0.0

A vulnerability exists in TOTOLINK Wi-Fi 6 routers, specifically in the X2000R-Gh-V2.0.0 version, due to an insecure default password for the root user. The password, '123456', is stored in a world-readable file, '/etc/shadow.sample', hashed with MD5-crypt, which can be easily cracked using tools like John. This weakness allows remote attackers to gain unauthorized root access through network-accessible services or the administrative interface.

Impact

Exploitation of this vulnerability allows attackers to log in as the root user, accessing the device's administrative controls and sensitive configuration data. This could lead to unauthorized modifications of device settings or execution of arbitrary code, potentially facilitating further network breaches.

Reproduction

To reproduce this vulnerability, extract the device's firmware image and locate the '/etc/shadow.sample' file in the extracted squashfs-root directory. The MD5-crypt hash of the root password can be cracked using a password-cracking tool, revealing the default password '123456'. With this password, log in to the device's administrative interface or other network-accessible services.