Vulnerability Title: Weak Password Authentication in auth_check_userpass2 Function in BR-6208AC_V2_1.03 Firmware
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: BR-6208AC_V2_1.03 firmware
Component: User Authentication (auth_check_userpass2)
A weak password authentication vulnerability exists in the auth_check_userpass2 function of the BR-6208AC_V2_1.03 firmware. This vulnerability is due to the use of hardcoded and easily guessable credentials (admin for the username and 1234 for the password), allowing an attacker to bypass authentication and gain unauthorized access to the device.
In the auth_check_userpass2 function, the username and password provided by the user are compared against hardcoded values (admin and 1234). If these values match, authentication is successful. However, because these default credentials are well-known and not securely stored, an attacker can easily exploit this vulnerability by using the default credentials to access the device.
The vulnerability arises from the following code:
Since the credentials are hardcoded and known, anyone with access to the login interface can simply input admin as the username and 1234 as the password, bypassing the authentication process entirely.
