Archer C6U PPTP VPN Extremely Vulnerable due the bug in firmware

Archer C6U PPTP VPN Extremely Vulnerable due the bug in firmware
Archer C6U PPTP VPN Extremely Vulnerable due the bug in firmware
2021-06-28 19:34:52
Model: Archer C6U
Hardware Version: V1
Firmware Version: 1.0.2 Build 20200404 rel.47120(5255)

Archer C6U has a bug in the firmware that makes it extremely vulnerable if you activate PPTP VPN. This bug is simple and easily reproducible but gives full access to VPN.

 

If you open the PPTP VPN setup page you will see that there is a default account with username/password admin. You can delete or change the password. In my opinion, deletion of admin is the best way because neither username nor password will be some default. However, it won't work, and below is a simple explanation of why.

 

When you reboot the router it will create an admin record with the default password admin.

 

Ok, you try to change the password for admin. You reboot the router again and you get the two admin accounts.

 

When you try to edit the second admin account it will tell you that the same account exists already. So there is a check in the UI that doesn't allow to have more than one record with the same username.

 

Next try. There is a limit of 16 users. Ok, 16 users created, reboot, and now there are 17 users.

 

So what we have in summary:

1. Admin account couldn't be removed and it will return like Terminator.

2. Admin account ignores the unique name check.

3. Admin account ignores the user limit.

 

And finally, when you enable PPTP VPN you are fully exposed because anyone can connect using the admin account.

 

P.S. I know that PPTP VPN isn't super secure, but it is faster than OpenVPN.

0
0
#1
Options
2 Reply
Re:Archer C6U PPTP VPN Extremely Vulnerable due the bug in firmware
2021-06-30 08:51:56

Looks like nobody interested from Tp-link.

 

Additional comment, if I enable the PPTP VPN and don't delete admin/admin, in less than an hour there will be connections using admin and actively using internet.

 

Also if delete admin/admin, there will be huge amount of connections requests sent with admin/admin credentials.

 

So is it official backdoor or what?

0
0
#2
Options
Re:Archer C6U PPTP VPN Extremely Vulnerable due the bug in firmware
2021-06-30 09:24:45

@Loyd 

 

Thanks for reporting the issue to the community, we will confirm it and get back to you ASAP.

0
0
#3
Options