Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)
I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"
dpacmittal 1 hours ago [-]
Tenda is very popular in Asia, several ISPs use them as their default routers.
TedDoesntTalk 3 hours ago [-]
I’m in the USA and have a Tenda WiFi usb stick. Not as popular as other brands but they are around
greyface- 2 hours ago [-]
The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:
Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
lemagedurage 1 hours ago [-]
Sounds like a convenience feature for a dev that they forgot to remove before distribution, since it's this poorly hidden.
matltc 23 minutes ago [-]
My ifconfig is simple: if it's made in Shenzhen, throw it out
HDBaseT 2 hours ago [-]
The US/Israel would never do such a thing, buy UniFi/Fortinet/Palo Alto!
Gigachad 1 hours ago [-]
There was a meme going round of a network diagram that layers a Chinese firewall behind a US firewall behind a Russian firewall so they can all block each other countries backdoors.
emsign 11 minutes ago [-]
Not to sound too alarming. But
Security holes in networking equipment
Affects not just the compromised devices.
ggm 2 hours ago [-]
Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
VladVladikoff 1 hours ago [-]
I’m working on a hotel right now. And I’ve gone to great lengths to make the wifi more secure. Everyone on their own VLAN. Separate PPSK for each room. Credentials are randomly generated and not some ridiculous pattern of last name and room number or similar. We built our own custom access control system, with what at the time was the strongest keycards we could find (mifare desfire ev3), I’m really trying to make a hotel who’s security isn’t such a joke.
miki123211 3 minutes ago [-]
How do you distribute credentials to residents?
My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.
ggm 1 hours ago [-]
As long as I can bind more than one device in my room, and as long as I can "see" the devices amongst themselves, I'd love this. I can imagine people who want inter-room access but they can live through proxies offsite. If I want to do in room sharing, I need in room wifi.
Gets hard when you bring "smart" TV's to the table. They're going to need to expose into this system somewhat 'credential-free' but if you do it off MAC address then a determined user could disconnect, find MAC, clone ...
ikidd 33 minutes ago [-]
It would still be wiser to tie your own router into the hotel system as a gateway, and keep your own PAN behind that.
dhx 19 minutes ago [-]
It looks like recent Tenda hardware/firmware is encrypted per below examples, making it harder to audit.
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".
Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
drnick1 2 hours ago [-]
And this is why I handroll my own routers/firewalls, using commodity hardware and a Linux distribution.
ikidd 31 minutes ago [-]
Man, I remember doing this in the late 90s with ipchains as the only way to get a router that didn't cost an arm and a leg. Eventually consumer/prosumer routers came out.
What's old is new again.
matltc 1 hours ago [-]
Looking to do this to get off stock isp leased router. What's your hardware/distro rec?
dhruvrrp 22 minutes ago [-]
Use openWrt (https://openwrt.org), and use their hardware list to pick a consumer router with the feature set you need that can be flashed to use openWrt.
SubiculumCode 3 hours ago [-]
Up and out the back door, any 'ol time.
RetroTechie 4 hours ago [-]
Yet another Chinese company selling backdoor'd product. Surprise surprise...
cwmoore 3 hours ago [-]
Are you referring to the concept of “prayer?”
nttylock 2 hours ago [-]
[flagged]
tangsoupgallery 3 hours ago [-]
[flagged]
naturalmovement 2 hours ago [-]
[flagged]
vachina 3 hours ago [-]
Chinese undocumented auth: commies tryna steal mah api tokenz
US undocumented auth: legitimate usecase for out of band support nothing to see here
matheusmoreira 20 minutes ago [-]
I was deeply alarmed when I figured out ISPs had effortless remote access to the routers and consequently to my LAN. Now they just provide me an ONT which terminates their fiber and connects into my own hardened GL.iNet router running OpenWRT.
Terr_ 3 hours ago [-]
If you're accusing CERT of hypocrisy, what's an example of the second case?
The fact that the password is "rzadmin" makes it a lot more likely that this is just run of the mill stupidity, and not something more nefarious: you'd want a backdoor that isn't blindingly obvious and usable by the CIA.
Rendered at 05:11:54 GMT+0000 (Coordinated Universal Time) with Vercel.
I was unfamiliar with Tenda.
> Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )
Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)
I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"
https://boschko.ca/tenda_ac1200_router/
Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
Security holes in networking equipment
Affects not just the compromised devices.
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.
Gets hard when you bring "smart" TV's to the table. They're going to need to expose into this system somewhat 'credential-free' but if you do it off MAC address then a determined user could disconnect, find MAC, clone ...
binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers: And /squashfs-root/webroot_ro/default_router.cfg which offers: From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
What's old is new again.
US undocumented auth: legitimate usecase for out of band support nothing to see here
Barracuda Networks: https://krebsonsecurity.com/2013/01/backdoors-found-in-barra...
Fortinet: https://community.spiceworks.com/t/hard-coded-password-backd...
Korenix: https://sec-consult.com/vulnerability-lab/advisory/backdoor-...
The fact that the password is "rzadmin" makes it a lot more likely that this is just run of the mill stupidity, and not something more nefarious: you'd want a backdoor that isn't blindingly obvious and usable by the CIA.