in early 2024, i was spending some time trying to find IDF field infrastructure on Zoomeye, particularly GNSS base stations (used to correct for errors in GPS tracker data) and similar (semi-)permanent field gear. as i was doing this, i started seeing more and more CHCNAV P5 GNSS devices, including near the Gaza Strip and West Bank borders. it got kinda boring quick, especially because i only had credentials to a few of these devices and they seemed pretty useless, so i started aimlessly clicking around in Firefox's developer tools on one of the sites.
all it took was a search for "admin" and i had this absolutely beautiful piece of front-end javascript code in front of me:
var account = $("#ipAccount").val();
var password = $("#ipPassword").val();
if ((account == "chcadmin") && (password == "chcpassword")) {//N72设置超级用户名和超级密码
var url = "index.html?";
url += "param1=" + product_model + "&";
url += "param2=" + bluetoothShow + "&";
url += "param3=" + wifiShow + "&";
url += "param4=" + ethernetShow + "&";
url += "param5=" + g3Show + "&";
url += "param6=" + radioShow + "&";
url += "param7=" + mailShow + "&";
url += "param8=" + gprs_type + "&";
url += "param9=" + "admin" + "&";
url += "param10=three";
url += "&v="+version;
$.cookie('status', true);
window.location.href = url;
}not only do all CHCNAV GNSS base stations have a built-in superadmin account as a backdoor—the Chinese comment indicates the credentials' function rather explicitly—authentication for it also happens entirely in the frontend. all you need to do to directly log in as an administrator is set param9 to admin (while making sure all other params have correct values, though that shouldn't be too hard) and you're golden.
based on a quick Zoomeye search ("./pc/login.html?v="), there are currently between four thousand and six thousand of these devices deployed in the wild. about half of those are in Russia (2.7k), with Thailand (1.3k), Turkey (1.1k), Brazil (280) and Israel (275) completing the top 5 list.
i hadn't done anything with this 0day nor dropped it until now because it's pretty useless, at least to me—even if it were possible to gain RCE on these devices (and it almost definitely pretty trivially is, if anyone wants to have some fun), they're all isolated on cellular networks, so they're completely useless for lateral movement. i was eventually going to drop a full chain purely for bragging rights but i don't think i'll ever get around to that, so have at it. it's likely that other CHCNAV device families are vulnerable in similar ways, but i haven't explored that either. oh—and before anyone asks, i don't think this vuln is useful for any kind of sabotage, given that by nature it is difficiult to identify who a device belongs to and how exactly the devices work (to my limited understanding).
anyways that's it, stay silly :3 and i'm so sorry to my editor ryan who will wake up to this absolute mess of a blog post i just wrote up in like an hour at 6am.