im bored lol

src/posts/im-bored.md

@@ -0,0 +1,46 @@
+---
+title: "i'm bored, so here's a useless 0day"
+date: 2025-08-20
+description: "i either want my US$2.5k professional grade device backdoored or not at all"
+feature_image: /img/posts/im-bored/cover.jpg
+feature_alt: "a photo of a rugged professional device with word art text over it saying YAY! everyone is admin now!"
+tags:
+  - 0day
+  - security
+  - infosec
+  - exploit
+  - javascript
+---
+
+in early 2024 i was spending some time trying to find IDF field infrastructure on zoomeye, particularly looking for GNSS base stations (used to correct for errors in gps tracker data) and similar (semi-)permanent field gear. as i was doing this i started seeing more and more [CHCNAV P5](https://geospatial.chcnav.com/products/chcnav-P5) gnss devices, {% footnoteref "idf", "i never ended up figuring out if any of those belonged to the IDF or not" %}including near the gaza and west bank borders{% endfootnoteref %}. it got kinda boring quick though as i only had credentials to like two of these devices and they seemed pretty useless, so i started aimlessly clicking around in firefox dev tools on one of the sites.
+
+all it took was a search for "admin" and i had this absolutely beautiful piece of front-end javascript code in front of me:
+```js
+var account = $("#ipAccount").val();
+var password = $("#ipPassword").val();
+if ((account == "chcadmin") && (password == "chcpassword")) {//N72设置超级用户名和超级密码
+    var url = "index.html?";
+    url += "param1=" + product_model + "&";
+    url += "param2=" + bluetoothShow + "&";
+    url += "param3=" + wifiShow + "&";
+    url += "param4=" + ethernetShow + "&";
+    url += "param5=" + g3Show + "&";
+    url += "param6=" + radioShow + "&";
+    url += "param7=" + mailShow + "&";
+    url += "param8=" + gprs_type + "&";
+    url += "param9=" + "admin" + "&";
+    url += "param10=three";
+    url += "&v="+version;
+    $.cookie('status', true);
+    window.location.href = url;
+}
+```
+not only do all CHCNAV GNSS base stations have a built in superadmin account as a backdoor—the code comment points this out pretty explicitly—but authentication for it happens *entirely in the frontend*. all you really need to do to directly log in as an administrator is set `param9` to `admin` (while making sure all other params have correct values, though that shouldn't be too hard) and you're golden.
+
+![a partially redacted screenshot of a logged in view of the CHCNAV gnss base station](/img/posts/im-bored/adminpanel.jpg)
+
+based on a quick [zoomeye](https://zoomeye.ai) search (`"./pc/login.html?v="`) there are currently between four thousand to six thousand of these devices deployed in the wild. about half of those are in russia (2.7k), with thailand (1.3k), turkey (1.1k), brazil (280) and israel (275) completing the top 5 list.
+
+i hadn't done anything with this, or even dropped this 0day until now because it's pretty useless, at least to me, even if it were possible to gain RCE on these devices (and it almost definitely pretty trivially is, if anyone wants to have some fun) they're all isolated on cellular networks, so they're completely useless for lateral movement. i was eventually gonna drop a full chain purely for bragging rights but i don't think i'll ever get around to that, so have at it. it is likely other CHCNAV device families are vulnerable in similar ways but i haven't explored that either. oh and before anyone asks, i don't think this vuln is even useful for any kind of sabotage, given the cellular nature makes it hard to identify who a device belongs to and how these devices work (to my limited understanding).
+
+anyways that's it, stay silly :3 and i'm so sorry to my editor ryan who will wake up to this absolute mess of a blog post i just wrote up in like an hour at 6am.