Mercku M6a Telnet Access Vulnerability via CSRF

A vulnerability in Mercku M6a routers running firmware through 2.1.0 allows unauthorized telnet access. This is achieved by exploiting a Cross-Site Request Forgery (CSRF) vulnerability in the password change feature, enabling attackers to gain administrative access. Once access is obtained, the hidden telnet server can be activated, providing root access to the device.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access, activation of a hidden telnet server, and escalation to root privileges, resulting in full control over the device.

Reproduction

The vulnerability can be reproduced by sending a CSRF attack that resets the admin password. This can be done by submitting a request to the router's web interface that includes the new password. Once administrative access is gained, the hidden telnet server can be activated by sending a request to the appropriate endpoint. After the telnet server is enabled, a connection can be established using the admin password, granting root access to the device.

Remediation

Users are advised to implement proper CSRF protection, remove or secure hidden endpoints, use cryptographically secure session generation, enforce session expiration, and follow GPL requirements for OpenWrt modifications.