| Titre | Netis WF-2404 Router Firmware Version: APR-R4A4-V1.1.124EN-Netis(WF-2404),2010.12.14 16:18. Use of Weak Hash |
|---|
| Description | RealTek RTL8196C chip exposes UART serial debug console on router PCB. It drops you into a root shell without prompting for any authentication. Physical access is required but soldering not required, can be performed trivially without lasting detection.
Even though there is no prompt for authentication on root account, the default password for the RealTek root password (which happens to be "realtek") is stored using DES Crypt for hashing. Cracked in 12 seconds on a personal laptop.
Full writeup demonstrating root password hash stored in /etc/passwd file:
https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-cont
References:
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.des_crypt.html
|
|---|
| La source | ⚠️ https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-cont |
|---|
| Utilisateur | scoozi (UID 82836) |
|---|
| Soumission | 15/03/2025 23:53 (il y a 1 Année) |
|---|
| Modérer | 28/03/2025 12:48 (13 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 301896 [Netis WF-2404 1.1.124EN /etc/passwd Local Privilege Escalation] |
|---|
| Points | 20 |
|---|