The web administration interface on Amped Wireless R10000 devices with firmware 2.5.2.11 has a default password of admin for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.
Amped Wireless R10000 devices running firmware 2.5.2.11 are vulnerable to remote administrative takeover. The web administration interface uses a default password of 'admin' for the admin account, enabling attackers to gain complete control of the device through a LAN session and potentially compromise the entire network. This vulnerability poses a significant risk of data breaches, network disruption, and malware deployment.
Step 1: Network Access: The attacker must be on the same local area network (LAN) as the vulnerable Amped Wireless R10000 device. This could be achieved through physical access, compromised devices on the network, or social engineering to get a user to connect to a malicious network.
Step 2: Web Interface Access: The attacker accesses the web administration interface of the R10000 device, typically via a web browser, by navigating to the device's IP address (e.g., 192.168.1.1).
Step 3: Login Attempt: The attacker enters the default username 'admin' and the default password 'admin' into the login form.
Step 4: Successful Authentication: The web interface accepts the default credentials, granting the attacker administrative privileges.
Step 5: Administrative Control: The attacker now has full control over the device, including the ability to change network settings, modify firmware, and potentially gain access to other devices on the network.
The vulnerability stems from a failure to change the default administrative credentials during the device's manufacturing and deployment. The web administration interface, accessible via HTTP, does not enforce any password complexity requirements or prompt the user to change the default password upon initial setup. This allows an attacker on the local network to simply use the default 'admin' password to log in and gain full administrative access. The root cause is a lack of secure configuration practices, specifically the failure to implement a secure default password policy and enforce password changes.