Bypassing Auth to Router Config Page in a Tozed M60

Apr 28, 2020

This article is published in good faith for educational purposes, malicious practices are strictly discouraged.

The router configuration page of a Tozed M60 is supposed to be accessible only if we log in with valid credentials. However, as we are about to find out, authentication here seems to be optional.

Get connected

First, we need to connect to the WiFi access point (AP) of the router. Sorry, but I'm not gonna elaborate on this. I encourage you to refer some resources (there are plenty) on how to get connected to a WiFi hotspot with an unknown password, if that is the case.

Just foray

Once connected to the AP, find out the router IP address (default gateway) and navigate there with a browser. When the login page for router configuration is loaded, fire up the browser console (Ctrl + Shift + K/Z on Firefox/Chromium) and execute following lines there.

isPlaceholder=true;
submit();

Now, we should be directed to the router configuration page.

Why is it so easy?

In a world with many inherently interconnected devices, obvious security mechanisms are expected to be the rule rather than the exception. However, as one would find out diving enough into one of those nodes, it is not always the case. While vulnerabilities obviously can exist in almost anything, and many (likes of pwn2own) are trying to reduce those in software, shipping devices to consumers without even basic security measures is unacceptable. Consumer grade devices specially tend to have a notorious trend of being needlessly vulnerable due to lack of obvious security mechanisms, owing to the simple fact that many manufacturers refuse to care enough about the masses they serve.

WirelessSecurity

Resize Virtual Disk Image and Expand Linux LVM