H3C Magic M Devices Insecure Default Password Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in H3C Magic M devices running firmware version M2V100R006, where default passwords for several user accounts, including root, useradmin, telecomadmin, and nobody, are set to the usernames. These passwords are stored in a world-readable file, /etc/shadow, using MD5-crypt hashing, which can be easily cracked with tools like John the Ripper. Exploiting this vulnerability could lead to unauthorized root access via network-accessible services or the administrative interface.

Impact

Exploitation of this vulnerability could result in unauthorized administrative access, allowing attackers to control the device, access sensitive information, modify settings, or execute arbitrary code.

Reproduction

To reproduce this vulnerability, extract the firmware image M2V100R006.bin and locate the /etc/shadow file in the extracted squashfs-root directory. The MD5-crypt hashes for the root, useradmin, telecomadmin, and nobody accounts can be cracked using John the Ripper, revealing the default passwords. Once the passwords are obtained, log in to the device's administrative interface or other network-accessible services using the cracked credentials.