Tenda AC10 Hard-Coded Credentials Vulnerability

A hard-coded credentials vulnerability exists in the Tenda AC10 Wi-Fi 5 router, specifically in the firmware version 16.03.10.13. The vulnerability arises from the root user's password, which is hard-coded, stored in the file /etc_ro/shadow, and hashed using MD5-crypt. This hash can be easily cracked with tools like John the Ripper, revealing the password 'Fireitup'. The cracked password allows unauthorized access to the device with root privileges, through network-accessible services or the administrative interface.

Impact

Exploitation of this vulnerability allows attackers to gain root access to the device, bypassing authentication. This access can be used to view and modify sensitive system configurations, potentially leading to unauthorized changes in device behavior or network settings. Additionally, with root privileges, an attacker could execute arbitrary code on the device, further compromising the network.

Reproduction

To reproduce this vulnerability, first extract the router's firmware image using a suitable extraction tool. After extracting the firmware, locate the /etc_ro/shadow file in the squashfs-root directory. The MD5-crypt hash of the root password can be found in this file. Use a password-cracking tool, such as John the Ripper, to crack the hash, revealing the password 'Fireitup'. Once the password is obtained, it can be used to log into the router's administrative interface or other network services that require authentication.