Headline
CVE-2023-41012: Command Execution Vulnerability in China Mobile Intelligent Home Gateway HG6543C4 Identity verification has design flaws
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the authentication mechanism.
Command Execution Vulnerability in China Mobile Intelligent Home Gateway HG6543C4 Device default information: Equipment model: HG6543C4 Default wireless network name: CMCC-hXtx Default wireless network password: f6qgriu4 Default terminal configuration address: 192.168.1.1 Default terminal configuration account: dr7u2tvn
Vulnerability Description: Under normal circumstances, using the web page function in the device requires logging in to use it; But there is an authentication flaw. If there is already a user logged in (with a different IP address) in the same network, other users in the same network can directly access web resources without the need for authentication Vulnerability analysis: This may be because this system has a session management mechanism for recording logged in users and devices. After someone logs in, the system will store a session ID on the device to identify the user’s identity. When accessing this page, the system will check if there is a session ID on the device. If so, it will be accessed directly. If not, it will redirect to the login page. This can improve the user experience by avoiding the need to enter a username and password every time you access; But there are significant safety hazards Demo: For example, if I access web resources that require authentication in both the host and virtual machine environments, and access them in any browser without a login account, I will directly jump to the login page. However, if I only need to log in to the web in one location; It can be accessed directly from the virtual machine. Resources to http://192.168.1.1/html/firewall.html For example, this resource is a switch that controls the firewall
中国移动智能家庭网关HG6543C4存在命令执行漏洞 设备默认信息: 设备型号:HG6543C4 默认无线网络名称:CMCC-hXtx 默认无线网络密码:f6qgriu4 默认终端配置地址:192.168.1.1 默认终端配置账号:dr7u2tvn
漏洞说明: 在正常情况下,使用设备中的web页面功能需要登录使用;但存在身份验证缺陷,如果当前在同一网络中已经有一处用户登录(不同的ip地址),那么在同一个网络内其他用户可直接访问web资源,无需进行身份验证
漏洞分析: 这可能是因为这个系统有一个会话管理的机制,用于记录登录的用户和设备。当有人登录后,系统会在设备上存储一个会话ID,用于标识用户的身份。当访问这个页面时,系统会检查设备上是否有会话ID,如果有,那么就直接访问,如果没有,那么就跳转到登录页面。这样可以虽然避免每次访问都要输入用户名和密码,提高用户的体验;但是存在极大的安全隐患
演示: 例如我使用宿主机和虚拟机两个环境,访问需要身份验证的web资源,在任意一处没有登录账号的浏览器中访问,会直接跳转到登录页面,但是如果只要在一处登录web;即可在虚拟机中直接访问。 资源以http://192.168.1.1/html/firewall.html为例,该资源为控制防火墙的开关