Tenda AC15 Authentication Cookie Vulnerability Allowing Password Hash Exposure and Session Hijacking

An authentication cookie vulnerability has been identified in the Tenda AC15 router, specifically in firmware version 15.03.05.18_multi. The issue arises because the router issues a cookie that includes the MD5 hash of the account password, appended with a short, low-entropy suffix, which serves as a predictable session identifier. This cookie is transmitted without essential security flags, exposing the password hash to the client. An attacker with network access or the ability to execute JavaScript in the victim's browser can steal the cookie and use it to access protected resources.

Impact

This vulnerability exposes user password hashes to clients, allows for session replay or hijacking due to the predictability of the cookie values, and enables offline brute-force attacks on the password hashes, as they are transmitted in an easily accessible format.

Reproduction

To reproduce this vulnerability, log in to the Tenda AC15 router's web interface. After authentication, the router will issue a cookie named 'password' that contains the MD5 hash of the password followed by a 6-character suffix. This cookie will lack the 'HttpOnly', 'Secure', and 'SameSite' flags, making it accessible via JavaScript. The cookie can then be used to make requests to '/main.html', effectively hijacking the session.

Remediation

Users are advised not to include password hashes in cookies, to generate secure session tokens of at least 128 bits on the server side, and to add 'HttpOnly', 'Secure', and 'SameSite' flags to authentication cookies. Additionally, it is recommended to use secure hash functions like bcrypt or Argon2, and to implement session expiration and invalidation upon logout.