Tenda AC9 Hard-Coded Credentials Vulnerability

A hard-coded credentials vulnerability exists in the Tenda AC9 Wi-Fi router, specifically in the administrative interface of the firmware version 15.03.05.19. The vulnerability arises from the root user's password, which is hard-coded and stored in the file /etc_ro/shadow using an easily crackable MD5-crypt hash. This allows unauthorized access to the device with root privileges through network-accessible services or the administrative interface.

Impact

Exploitation of this vulnerability allows unauthorized users to gain root access to the device, potentially leading to privilege escalation, access to sensitive information, and unauthorized modification of device settings or execution of arbitrary code.

Reproduction

To reproduce this vulnerability, extract the router's firmware image and locate the /etc_ro/shadow file. The hard-coded password for the root user can be found in this file, hashed with MD5-crypt. After cracking the hash using a tool like John, the password 'Fireitup' can be used to log into the device's administrative interface or other network-accessible services.