Skip to content

Latest commit

 

History

History
42 lines (31 loc) · 2.65 KB

Hard-Coded Credential Vulnerability in E-Lins Routers.md

File metadata and controls

42 lines (31 loc) · 2.65 KB

Title: Hard-Coded Credential Vulnerability in E-Lins Routers

BUG_Author: Institute of Software Chinese Academy of Sciences

Affected Version: H685 Router < v3.2.337 H685f Router < v3.2.248 H820 Router < v3.3.69 H820Q Router < v3.2.272 H820Q0 Router < v3.2.259 H900 Router < 3.2.241 H700 Router < 3.2.243 H720 Router < 3.2.239 H750 Router < 3.2.241

Vendor: E-Lins Technology

Firmware: [Firmware-New-Platform(https://www.e-lins.com/EN/Firmware-New-Platform.html)

Description:

E-Lins Technology Co., Ltd.'s multiple router models, including H685, H685f, H820, H820Q, H820Q0, H900, H700, H720, and H750, are affected by a hard-coded vulnerability. This security flaw involves both the hard-coding of web system login credentials and the presence of a hidden OEM (Original Equipment Manufacturer) backend. The hidden backend can be accessed using a specific URL and a set of credentials (oemadmin:crpwd) that were derived from a password hash stored in the shadow file. This hidden account allows an unauthorized user to modify critical router settings, such as MAC addresses and logo images, and to gain access to features intended for regular users. Furthermore, if the default configurations remain unchanged, additional hard-coded accounts like guest:guest may still permit access to the router's normal administrative interface.

  • The hidden OEM backend account can be accessed via the path /admin/oem/oem.
  • The username and password for this account are stored in the shadow file.
  • The password hash for oemadmin was extracted and cracked using John the Ripper, revealing the password crpwd.
  • With the password crpwd, one can log into the hidden backend at the URL: /cgi-bin/luci/admin/oem/oem.
  • Access to the hidden backend allows modification of MAC addresses, logo images, and features available to regular users.
  • The oemadmin account can also log into the standard web interface.
  • Additionally, if the default configuration has not been changed, other accounts from the shadow file, such as guest:guest, may still be active and allow access to the normal backend.

hard-code hash john

Proof of Concept:

  • Successful login to the hidden OEM backend using the credentials oemadmin:crpwd.
  • Normal web system login using the same credentials.
  • Login using the guest:guest credentials if the default settings were not altered.

login