Router backdoor - ProLink PRS1841 PLDT Home fiber

vendor:

PRS1841

by:

Lawrence Amer @zux0x3a

8.8

CVSS

HIGH

Backdoor Account

CWE

Product Name: PRS1841

Affected Version From: PRS1841 U V2

Affected Version To: PRS1841 U V2

Patch Exists: No

Related CWE:

CPE: o:prolink2u:prs1841

Metasploit:

Other Scripts:

Platforms Tested:

2022

Router backdoor – ProLink PRS1841 PLDT Home fiber

A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS. The vulnerable account issued by the vendor was identified as "adsl" and "realtek" as the default password; attackers could use this account to access the router remotely/internally using either Telnet or FTP protocol.

Mitigation:

Change the default password of the router and disable Telnet and FTP access.

Source

Exploit-DB raw data:

# Exploit Title: Router backdoor - ProLink PRS1841 PLDT Home fiber
# Date: 12/8/2022
# Exploit Author: Lawrence Amer @zux0x3a
# Vendor Homepage: https://prolink2u.com/product/prs1841/
# Firmware : PRS1841 U V2
# research:  https://0xsp.com/security%20research%20%20development%20srd/backdoor-discovered-in-pldt-home-fiber-routers/

Description
========================
A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS.

The vulnerable account issued by the vendor was identified as "adsl" and 
"realtek" as the default password; attackers could use this account to 
access the router remotely/internally using either Telnet or FTP 
protocol.

PoC
=============================
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/cli