CVE-2023-33553

An attacker on the same LAN as the Planet WDRT-1800AX router can bypass authentication by manipulating the `LoginStatus` cookie. The web management pages use this boolean cookie to determine if a user is authenticated; by changing its value from `false` to `true`, the attacker gains full access to all administration functions without supplying a password [ref_id=1]. The attacker can then enable the telnet service via a POST request to `/cgi-bin/cdata.cgi` with `operation=DevManagement&opt=telnet&telnet=1` and the forged cookie. Because the router's default configuration has no password for the root user, connecting to telnet as root immediately grants a shell, escalating privileges to root [ref_id=1].

The vulnerability resides in the CGI binary served by Lighttpd that handles authentication for the web management pages. The device uses a pre-set boolean cookie named 'LoginStatus' to determine authentication state [ref_id=1]. The CGI endpoint at `/cgi-bin/cdata.cgi` accepts the `LoginStatus` cookie without validating it against a server-side session, allowing an attacker to set it arbitrarily.

The vendor acknowledged the issue on 13 February 2023 and confirmed the behavior, estimating a fixed release in Q2 2023 [ref_id=1]. An updated firmware was pushed on 7 April 2023, and an advisory was released on 5 May 2023 [ref_id=1]. The advisory does not specify the exact patch details, but the fix would need to replace the client-side boolean cookie with a proper server-side session management mechanism that cryptographically ties the session identifier to the authenticated user and validates it on every request.

The researcher's proof of concept (Python script) demonstrates the attack [ref_id=1]:

1. Send a POST request to `http://