# CVE-2021-46008 ## Telnet Hard-code Password in Totolink A3100R V5.9c.4577 by KVS * Description The hard-code telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet function is turned on. * Affected version Totolink A3100R V5.9c.4577 * Root Cause Analysis There are two ways can leak the password from the firmware. 1. Find the file "squashfs/web_cste/cgi-bin/product.ini", and the telnet password is represented in plaintext. 2. Find the file "squashfs/etc/shadow.sample", there is a user root with a md5 hashed password. Using John the Ripper with rockyou.txt can easily crack the hashed password. * Proof-of-Concept Method 1  Method 2 {%youtube _jAb20x1mwA %} {%youtube nfKOGNpeCzk %}