Mercku M6a Predictable Session Token Vulnerability Allowing Session Hijacking

A vulnerability exists in Mercku M6a devices running through version 2.1.0, where the authentication system relies on predictable session tokens based on timestamps. This flaw allows for session hijacking through brute-force attacks or by exploiting Cross-Site Request Forgery (CSRF) vulnerabilities to reset admin passwords. Once administrative access is gained, attackers can enable a hidden telnet backdoor that provides root access, leading to full control over the device.

Impact

Exploitation of this vulnerability allows for administrative session hijacking, which can be leveraged to gain root access on the device, creating a persistent backdoor that survives password changes and router reboots.

Reproduction

The vulnerability can be reproduced by brute-forcing session tokens based on the predictable timestamp pattern, or by using CSRF to force a password reset for an admin account. After gaining admin access, the hidden telnet server can be activated, providing root access via the web admin password.

Remediation

Mercku should implement secure session management practices, including using cryptographically secure algorithms for session token generation, enforcing session expiration, and addressing the hidden telnet backdoor. Additionally, the company should adhere to GPL requirements for their OpenWrt-based firmware.