Tenda AC15 Firmware Authentication Bypass Vulnerability in the Update Process

A vulnerability exists in the Tenda AC15 router running firmware version 15.13.07.13. The issue arises in the firmware update process, where the router's web server component improperly verifies the authenticity of uploaded firmware images. This flaw allows attackers to upload malicious firmware that bypasses authentication checks, potentially leading to arbitrary code execution or causing a denial-of-service condition on the device.

Impact

Exploitation of this vulnerability could allow for unauthorized firmware updates, leading to arbitrary code execution or causing the device to become unresponsive.

Reproduction

To reproduce this vulnerability, upload a firmware image that has been crafted to include the same hard-coded verification information as expected by the router. The router's firmware update mechanism will accept the compromised image, bypassing integrity checks and allowing malicious code to be executed or the device to be disrupted.