Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-44815 PoC — Skyworth Router CM5100 安全漏洞

Source
https://github.com/nitinronge91/Extracting-User-credentials-For-Web-portal-and-WiFi-AP-For-Hathway-Router-CVE-2024-44815-
Associated Vulnerability
Title:Skyworth Router CM5100 安全漏洞 (CVE-2024-44815)
Description:Skyworth Router CM5100是中国创维(Skyworth)公司的一款具有 N300 速度的单频路由器。 Hathway Skyworth Router CM5100 4.1.1.24版本存在安全漏洞,该漏洞源于允许物理接近的攻击者通过SPI闪存固件W25Q64JV获取用户凭据。
Description
CVE-2024-44815
Readme
# Extracting-User-credentials-For-Hathway-Router Via SPI flash-CVE-2024-44815

## Vulnerability Description:
During the security assessment of the Router firmware, it was observed that router login credentials of both web portal and Wi-Fi access point 
are stored in plain text in SPI flash memoey. Attacker can extract the login credentials, and which can be misused by attacker.

Vendor of the product: Hathway 

Affected product:CM5100-511

Affected Version: 4.1.1.24

Vulnerability Score V3.1: 6.8 Medium AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H

## Proof Of Concept:
1. Power on the router and  do the initial network reconnaissance using Nmap tool.
   
   <img width="666" alt="Network_reconn" src="https://github.com/user-attachments/assets/3df2a170-693b-4647-aedb-2a2ca5c82aea">



2. Teardown the  router  and locate the UART connection as shown in below Image.
   Connect the UART connection to serial console and check the initial boot sequence of router.
   Form initial boot sequence we got the hardware and firmware version information.

   <img width="352" alt="Tear_down" src="https://github.com/user-attachments/assets/21f1b287-a1af-4c09-af81-eed683db8b4c">
   

   <img width="625" alt="Initial_boot_sequence" src="https://github.com/user-attachments/assets/5c5b2dd9-6042-422f-80ec-f2abe13cf309">

3. From Hardware PCB analysis it was observed that external flash IC(Winbond W25Q64JV) is connected back side,
   solder out the flash IC from PCB and using CH431A flash programmer dump the firmware.

   ![image](https://github.com/user-attachments/assets/09b9a4b2-de47-4296-b7ab-9f742fe19e30)

4. After dumping the flash firmware,Perform the analysis of dumped binary file and we found that, suspicious login credentials with login name as ‘admin’ and with Wi-Fi access point name in plain text.

   <img width="850" alt="credentials_through_string_command" src="https://github.com/user-attachments/assets/b3212761-010a-4296-9332-762817bf8665">

5. Open the  dumped firmware in hex view to locate the Suspicious credential’s exact memory location  in firmware.

   ![image](https://github.com/user-attachments/assets/ef74dff9-05a2-4f20-93d6-42d4d96c7bf4)


   ![image](https://github.com/user-attachments/assets/9361a738-4bb7-4f24-9c93-8c7622f21c70)

 6. We tried to login the web portal and Wi-Fi access point using suspensions credentials found in firmware and it logged in successfully.

    ![image](https://github.com/user-attachments/assets/dbcdd114-aa63-405c-bba4-6fc51e846abf)

    
 7. Even though user changed default credentials, attacker can extract it from firmware by knowing the memory address and also credentials are stored in plain text.
    
## Authors:
   Nitin Ronge(www.linkedin.com/in/nitin-ronge)
   
   Anand Yadav(www.linkedin.com/in/anandyadav6962)
File Snapshot

 [4.0K]  /data/pocs/5bf136f97328ee113fa7365504bb0e58a342337b
└── [2.7K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.