POC详情: d71f5996f17042180800232bb6fc1d14af6e1d2f

来源
https://github.com/nitinronge91/Sensitive-Information-disclosure-via-SPI-flash-firmware-for-Hathway-router-CVE-2024-46383
关联漏洞
标题: Skyworth Router CM5100 安全漏洞 (CVE-2024-46383)
描述:Skyworth Router CM5100是中国创维(Skyworth)公司的一款具有 N300 速度的单频路由器。 Skyworth Router CM5100 4.1.1.24版本存在安全漏洞,该漏洞源于以明文形式存储有关USB和Wifi连接设备的敏感信息。
描述
CVE-2024-46383
介绍
# Sensitive-Information-disclosure-via-SPI-flash-firmware-for-Hathway-router-CVE-2024-46383


## Vulnerability Description:
During the security assessment of the Router firmware, it was observed that sensative information regarding the devices connected to router 
such as Mobile phone,Laptos, Tablets is stored in plain textand attacker can miuse it.

Vendor of the product: Hathway 

Affected product:CM5100-511

Affected Version: 4.1.1.24

Vulnerability Score V3.1: 5.2 Medium AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

## Proof Of Concept:
1. Power on the router and  do the initial network reconnaissance using Nmap tool.
   
   <img width="666" alt="Network_reconn" src="https://github.com/user-attachments/assets/3df2a170-693b-4647-aedb-2a2ca5c82aea">



2. Teardown the  router  and locate the UART connection as shown in below Image.
   Connect the UART connection to serial console and check the initial boot sequence of router.
   Form initial boot sequence we got the hardware and firmware version information.

   <img width="352" alt="Tear_down" src="https://github.com/user-attachments/assets/21f1b287-a1af-4c09-af81-eed683db8b4c">
   

   <img width="625" alt="Initial_boot_sequence" src="https://github.com/user-attachments/assets/5c5b2dd9-6042-422f-80ec-f2abe13cf309">

3. From Hardware PCB analysis it was observed that external flash IC(Winbond W25Q64JV) is connected back side,
   solder out the flash IC from PCB and using CH431A flash programmer dump the firmware.

   ![image](https://github.com/user-attachments/assets/09b9a4b2-de47-4296-b7ab-9f742fe19e30)

4. After dumping the flash firmware,Perform the analysis of dumped binary file and we found that, names of mobile phones, laptops, Tablets which are coonected to router
   are stored in plain text.

    <img width="437" alt="connected_devices_to_router" src="https://github.com/user-attachments/assets/09c3d784-9e33-4a09-b8e3-208746c4d95c">

   


    
## Authors:
   Nitin Ronge(www.linkedin.com/in/nitin-ronge)
   
   Anand Yadav(www.linkedin.com/in/anandyadav6962)
文件快照

 [4.0K]  /data/pocs/d71f5996f17042180800232bb6fc1d14af6e1d2f
└── [2.0K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。