A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6:
803cdd0f 41 72 69 65 ds "AriesSerenaCairryNativitaMegan"
73 53 65 72
65 6e 61 43
...
It is referenced by the function at 0x800b78b0 and simplified in the pseudocode below:
if (is_equal = strcmp(password,"AriesSerenaCairryNativitaMegan"){
ret = 3;}
Where 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor).
While there's no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater "Pu" (new user password) in place of "Pa" (new admin password).
Metrics
Affected Vendors & Products
References
History
Wed, 13 Nov 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Level1
Level1 wbr-6012 Level1 wbr-6012 Firmware |
|
CPEs | cpe:2.3:h:level1:wbr-6012:-:*:*:*:*:*:*:* cpe:2.3:o:level1:wbr-6012_firmware:r0.40e6:*:*:*:*:*:*:* |
|
Vendors & Products |
Level1
Level1 wbr-6012 Level1 wbr-6012 Firmware |
Wed, 30 Oct 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 30 Oct 2024 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6: 803cdd0f 41 72 69 65 ds "AriesSerenaCairryNativitaMegan" 73 53 65 72 65 6e 61 43 ... It is referenced by the function at 0x800b78b0 and simplified in the pseudocode below: if (is_equal = strcmp(password,"AriesSerenaCairryNativitaMegan"){ ret = 3;} Where 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor). While there's no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater "Pu" (new user password) in place of "Pa" (new admin password). | |
Weaknesses | CWE-798 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: talos
Published: 2024-10-30T13:35:20.113Z
Updated: 2024-10-30T14:03:14.932Z
Reserved: 2024-04-30T21:32:15.720Z
Link: CVE-2024-31151
Vulnrichment
Updated: 2024-10-30T14:02:47.322Z
NVD
Status : Analyzed
Published: 2024-10-30T14:15:05.507
Modified: 2024-11-13T18:19:26.453
Link: CVE-2024-31151
Redhat
No data.