The Tenda AC15 router was found to contain a variety of unnecessary accounts that contain incredibly weak passwords. Note that these accounts do not allow access to the web interface, but are also not configurable from said interface. This means that without access to the device (such as telnet or ssh), a user cannot change these accounts.
The /etc/passwd file contains the following entries:
The passwords for support, user and admin are all 1234. Logging as any one of these accounts gives us root privileges. Combined with CVE-2018-5770 , this vulnerability can lead to full compromise of the device.
Vulnerability discovered and first reported by Fidus’ Penetration Testing & Research Team – 14/1/2018
Second attempt to make contact, further informing the vendor of the severity of the vulnerability – 18/1/2018
CVE’s assigned by Mitre.org – 19/1/2018
Livechat attempt to contact vendor – 19/1/2018
Another attempt to contact vendor 23/1/2018
Further attempt to contact vendor, confirming 5 CVE’s had been assigned to their product – 31/1/2018
Final contact attempted & warning of public disclosure – 8/2/2018
Public disclosure – 19/3/2018