# Vulnerability Summary: Firmware Authentication Vulnerability in Trendnet TEW-821DAP Firmware Update Process ## Vulnerability Overview A firmware authentication vulnerability exists during the firmware update process, involving the `find_hwid()` and `new_gui_update_firmware()` functions. The firmware uses hardcoded verification information for authentication checks. Specifically, these two functions extract the hardware ID from the firmware image and store it in the `dest` variable. They then perform firmware authentication by comparing `dest` against hardcoded authentication verification information. Once an attacker obtains the hardcoded authentication verification information, they can easily bypass authentication and upload maliciously tampered firmware. This issue allows attackers to execute arbitrary code or cause a denial of service by uploading tampered firmware with the same hardcoded authentication verification information. ## Affected Scope - **Affected Product**: TEW-821DAP (Firmware version v1.12B01) ## Remediation - No specific remediation plan has been provided. ## POC Code ```c int find_hwid(char *dest) { int result; // eax int v2; // [sp+10h] [bp-10h] int v3; // [sp+14h] [bp-Ch] int v4; // [sp+18h] [bp-8h] int v5; // [sp+1Ch] [bp-4h] v2 = 0; v3 = 0; v4 = 0; v5 = 0; result = fread(&v2, 1, 4, firmware); if ( result ) { result = fread(&v3, 1, 4, firmware); if ( result ) { result = fread(&v4, 1, 4, firmware); if ( result ) result = fread(&v5, 1, 4, firmware); } } if ( result ) { sprintf(dest, "%08X-%08X-%08X-%08X", v2, v3, v4, v5); } return result; } int new_gui_update_firmware() { int result; // eax char dest[16]; // [sp+10h] [bp-10h] char v2[16]; // [sp+20h] [bp+0h] find_hwid(dest); if ( !strcmp(dest, "AP152AR9563-AP-150107-00") || !strcmp(dest, "AP152AR9563-AP-151201-00") || !strcmp(dest, "AP152AR9563-AP-150707-00") ) { result = new_gui_update_firmware2(); } else { sprintf(v2, "Hardware ID is not match: %s", dest); new_gui_update_firmware2(); result = new_gui_update_firmware3(v2); } return result; } ```