CVE-2024-40892 PoC — Firewalla 安全漏洞

Source

Associated Vulnerability

Title:Firewalla 安全漏洞 (CVE-2024-40892)
Description:Firewalla是Firewalla公司的一个驱动程序。 Firewalla 1.979之前版本存在安全漏洞，该漏洞源于存在弱凭证漏洞，允许近距离的攻击者使用许可证UUID进行身份验证，并通过蓝牙低功耗接口提供SSH凭证。

Description

Proof of Concept code for interaction with Firewalla via Bluetooth Low-Energy and exploitation of CVE-2024-40892 / CVE-2024-40893

Readme

# fwbt

Writeup: https://www.labs.greynoise.io/grimoire/2024-08-20-bluuid-firewalla/

Proof of Concept code for interaction with Firewalla via Bluetooth Low-Energy and exploitation of CVE-2024-40892 / CVE-2024-40893

Without any configuration it will scan for Firewalla's in local proximity and leak the checksum of the License UUID.

If License UUID is obtained, it can be defined at `var myLicense = ""` in `main.go` at which point:

1. A local backup of the device configuration will be made.
2. If the device configuration is already backed up:
3. Generate root SSH credentials (CVE-2024-40892)
4. Exploit 3 command injection vulnerabilites (CVE-2024-40893)

File Snapshot


 [4.0K]  /data/pocs/d8f7ad62b05165fec9d017b09d420b77998e09eb
├── [ 944]  go.mod
├── [4.6K]  go.sum
├── [2.6K]  main.go
├── [4.0K]  pkg
│   ├── [4.0K]  btapi
│   │   └── [ 11K]  btapi.go
│   └── [4.0K]  fwsecurity
│       └── [5.0K]  fwsecurity.go
└── [ 663]  README.md

3 directories, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!