A hard-coded password vulnerability exists in the libcommonprod.so prod_change_root_passwd functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. During system startup this functionality is always called, leading to a known root password. An attacker does not have to do anything to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
TCL LinkHub Mesh Wifi MS1G_00_01.00_14
7.5 - CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-259 - Use of Hard-coded Password
The LinkHub Mesh Wi-Fi system is a node-based mesh system designed for Wi-Fi deployments across large homes. These nodes include most features standard in current Wi-Fi solutions and allow for easy expansion of the system by adding nodes. The mesh is managed solely by a phone application, and the routers have no web-based management console.
During the boot process of the device, the
netctrl binary is launched. Within
main the function
prod_change_root_passwd is called from
libcommonprod with no conditional checks to do so. This function forces a change of the root password to
tcl-wifi as seen below.
int32_t prod_change_root_passwd() void var_d4 memset(&var_d4, 0, 0x40) int32_t var_94 = 0 int32_t var_90 = 0 void var_8c memset(&var_8c, 0, 0x80) int32_t var_d8 = 0 memcpy(&var_8c, "tcl-wifi", 9) doSystemCmd("(echo %s;sleep 1;echo %s) | pass…", &var_8c, &var_8c)  return 0
The forced password change occurs at  when
tcl-wifi is passed into the
passwd command line utility.
2022-04-27 - Vendor Disclosure
2022-08-01 - Public Release
Discovered by Carl Hurd of Cisco Talos.