Nanyu Zhong (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Yuekang Li (University of New South Wales), Yanyan Zou (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Jiaxu Zhao (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Jinwei Dong (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Yang Xiao (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Bingwei Peng (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Yeting Li (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Wei Wang (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology), Wei Huo (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences; Beijing Key Laboratory of Network Security and Protection Technology)
Embedded web services are widely integrated into network devices such as routers and gateways. These services are often exposed to public networks, making them attractive targets for authentication bypass attacks. Such vulnerabilities allow attackers to gain privileged access without valid credentials, posing serious risks to device integrity and network security. Existing detection techniques rely heavily on manual analysis or rigid heuristics, making them ineffective against diverse and evolving authentication schemes. We present AuthSpark, a novel dynamic analysis framework for detecting authentication bypass vulnerabilities in firmware binaries. AuthSpark leverages execution trace similarity between successful and failed authentication attempts to locate credential checks. It then tracks authentication-related variable propagation to identify authentication success logic. Finally, it employs a customized greybox fuzzer with task-specific power scheduling and mutation strategies to explore bypass paths. We evaluate AuthSpark on firmware from 32 real-world devices containing 14 known vulnerabilities. AuthSpark successfully identifies 42 out of 44 credential checks and detects 14 of the known vulnerabilities. More importantly, when applied to the latest firmware versions, AuthSpark discovers six zero-day authentication bypass vulnerabilities, four of which received official assignments (three CVEs and one PSV). These results highlight AuthSpark's effectiveness and its potential to uncover critical security flaws in real-world systems.