nyancrimew/maia.crimew.gay
1
0
Fork 1
Code Issues Pull requests Projects Releases Wiki Activity

edit the fucking piece

Browse source
This commit is contained in:
ryandotz1p 2025-08-20 05:11:30 -04:00
parent cf3bcb2c28
commit 95cfaadc13
1 changed files with 8 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/posts/im-bored.md
View file

@ -1,9 +1,10 @@
---
title: "i'm bored, so here's a useless 0day"
date: 2025-08-20
description: "i either want my US$2.5k professional grade device backdoored or not at all"
changed_date: 2025-08-20T19:43:00Z
description: "i either want my US$2.5k professional-grade device backdoored or not at all"
feature_image: /img/posts/im-bored/cover.jpg
feature_alt: "a photo of a rugged professional device with word art text over it saying YAY! everyone is admin now!"
feature_alt: "a photo of a rugged professional device with word art text over it that says 'YAY! everyone is admin now!'"
tags:
- 0day
- security
@ -12,7 +13,7 @@ tags:
- javascript
---
in early 2024 i was spending some time trying to find IDF field infrastructure on zoomeye, particularly looking for GNSS base stations (used to correct for errors in gps tracker data) and similar (semi-)permanent field gear. as i was doing this i started seeing more and more [CHCNAV P5](https://geospatial.chcnav.com/products/chcnav-P5) gnss devices, {% footnoteref "idf", "i never ended up figuring out if any of those belonged to the IDF or not" %}including near the gaza and west bank borders{% endfootnoteref %}. it got kinda boring quick though as i only had credentials to like two of these devices and they seemed pretty useless, so i started aimlessly clicking around in firefox dev tools on one of the sites.
in early 2024, i was spending some time trying to find IDF field infrastructure on [Zoomeye](https://zoomeye.ai), particularly GNSS base stations (used to correct for errors in GPS tracker data) and similar (semi-)permanent field gear. as i was doing this, i started seeing more and more [CHCNAV P5](https://geospatial.chcnav.com/products/chcnav-P5) GNSS devices, {% footnoteref "idf", "i never ended up figuring out if any of those belonged to the IDF or not" %}including near the Gaza Strip and West Bank borders{% endfootnoteref %}. it got kinda boring quick, especially because i only had credentials to a few of these devices and they seemed pretty useless, so i started aimlessly clicking around in Firefox's developer tools on one of the sites.
all it took was a search for "admin" and i had this absolutely beautiful piece of front-end javascript code in front of me:
```js
@ -35,12 +36,12 @@ if ((account == "chcadmin") && (password == "chcpassword")) {//N72设置超级
window.location.href = url;
}
```
not only do all CHCNAV GNSS base stations have a built in superadmin account as a backdoor—the code comment points this out pretty explicitly—but authentication for it happens *entirely in the frontend*. all you really need to do to directly log in as an administrator is set `param9` to `admin` (while making sure all other params have correct values, though that shouldn't be too hard) and you're golden.
not only do all CHCNAV GNSS base stations have a built-in superadmin account as a backdoor—the Chinese comment indicates the credentials' function rather explicitly—authentication for it also happens *entirely in the frontend*. all you need to do to directly log in as an administrator is set `param9` to `admin` (while making sure all other params have correct values, though that shouldn't be too hard) and you're golden.
![a partially redacted screenshot of a logged in view of the CHCNAV gnss base station](/img/posts/im-bored/adminpanel.jpg)
based on a quick [zoomeye](https://zoomeye.ai) search (`"./pc/login.html?v="`) there are currently between four thousand to six thousand of these devices deployed in the wild. about half of those are in russia (2.7k), with thailand (1.3k), turkey (1.1k), brazil (280) and israel (275) completing the top 5 list.
based on a quick Zoomeye search (`"./pc/login.html?v="`), there are currently between four thousand and six thousand of these devices deployed in the wild. about half of those are in Russia (2.7k), with Thailand (1.3k), Turkey (1.1k), Brazil (280) and Israel (275) completing the top 5 list.
i hadn't done anything with this, or even dropped this 0day until now because it's pretty useless, at least to me, even if it were possible to gain RCE on these devices (and it almost definitely pretty trivially is, if anyone wants to have some fun) they're all isolated on cellular networks, so they're completely useless for lateral movement. i was eventually gonna drop a full chain purely for bragging rights but i don't think i'll ever get around to that, so have at it. it is likely other CHCNAV device families are vulnerable in similar ways but i haven't explored that either. oh and before anyone asks, i don't think this vuln is even useful for any kind of sabotage, given the cellular nature makes it hard to identify who a device belongs to and how these devices work (to my limited understanding).
i hadn't done anything with this 0day nor dropped it until now because it's pretty useless, at least to me—even if it were possible to gain [RCE](https://en.wikipedia.org/wiki/Arbitrary_code_execution) on these devices (and it almost definitely pretty trivially is, if anyone wants to have some fun), they're all isolated on cellular networks, so they're completely useless for lateral movement. i was eventually going to drop a full chain purely for bragging rights but i don't think i'll ever get around to that, so have at it. it's likely that other CHCNAV device families are vulnerable in similar ways, but i haven't explored that either. oh—and before anyone asks, i don't think this vuln is useful for any kind of sabotage, given that by nature it is difficiult to identify who a device belongs to and how exactly the devices work (to my limited understanding).
anyways that's it, stay silly :3 and i'm so sorry to my editor ryan who will wake up to this absolute mess of a blog post i just wrote up in like an hour at 6am.
anyways that's it, stay silly :3 and {% footnoteref "edit", "editor's note: <a href=\"https://bsky.app/profile/ryan.staticnoi.se/post/3lwt3f6ktks2y\">i edited it four hours after release</a>" %}i'm so sorry to my editor ryan who will wake up to this absolute mess of a blog post i just wrote up in like an hour at 6am.{% endfootnoteref %}