Tenda W12 Hard-Coded Credentials Vulnerability

A hard-coded credentials vulnerability exists in the Tenda W12 access point, affecting firmware versions through 3.0.0.6(3948). The vulnerability arises from the root user's password, which is hard-coded, stored in the file /etc_ro/shadow, and hashed with MD5-crypt. This password can be easily cracked using tools like John the Ripper, allowing unauthorized root access to the device via network-accessible services or the administrative interface.

Impact

Exploitation of this vulnerability allows attackers to gain root access to the device, with the password 'Fireitup'. This access could be used to manipulate device settings, access sensitive information, or execute arbitrary code, potentially leading to further compromises within the network.

Reproduction

To reproduce this vulnerability, extract the firmware image and locate the /etc_ro/shadow file in the extracted squashfs-root directory. The MD5-crypt hash of the root password can be cracked using a password-cracking tool, revealing the hard-coded password. This password can then be used to log into the device's administrative interface or other network-accessible services.