what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ZTE MF253V 1.0.0B04 XSS / CSRF / Hardcoded Password

ZTE MF253V 1.0.0B04 XSS / CSRF / Hardcoded Password
Posted Nov 24, 2020
Authored by T. Weber, Steffen Robertz | Site sec-consult.com

ZTE WLAN router MF253V version 1.0.0B04 suffers from cross site request forgery, hardcoded password, outdated component, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | 2ad4c83e851b5a6d905cd41028173a338d0361610fcbc55e00ab71b116573c19

ZTE MF253V 1.0.0B04 XSS / CSRF / Hardcoded Password

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20201123-0 >
title: Multiple Vulnerabilities
product: ZTE WLAN router MF253V
vulnerable version: V1.0.0B04
fixed version: V1.0.0B05
CVE number:
impact: Medium
homepage: https://www.zte.com.cn
found: 2020-01-07
by: T. Weber (Office Vienna)
S. Robertz (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America



Vendor description:
"ZTE Corporation is a global leader in telecommunications and information
technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock
Exchanges, the company has been committed to providing integrated end-to-end
innovations to deliver excellence and value to consumers, carriers, businesses
and public sector customers from over 160 countries around the world to enable
increased connectivity and productivity."

Source: https://www.zte.com.cn/global/about/corporate_information

Business recommendation:
The vendor provides a patch via push notifications in the web-interface of the
device. The patch should be installed immediately.

SEC Consult recommends to perform a thorough security review of these
products conducted by security professionals to identify and resolve all
security issues.

Vulnerability overview/description:
1) Hardcoded Password for Config File
The device contains a hardcoded password for the config file. Hence, all config
files from devices of the same model can be decrypted and modified by an
attacker for malicious purposes.

2) Config Upload via Cross-Site Request Forgery (CSRF)
A malicious config file can be uploaded by exploiting a CSRF vulnerability. An
attacker can reconfigure the router by luring the user to a crafted web-site.

3) Stored Cross-Site Scripting (XSS)
A cross-site scripting payload can be placed by an authenticated attacker by
intercepting a POST request to "/goform/goform_set_cmd_process" or by abusing
the config upload described in section 2). Thus, an attacker is able to perform
malicious actions in the context of the attacked user.

4) Multiple Outdated Software Components
Multiple outdated software components containing vulnerabilities were found by
the IoT Inspector.

Proof of concept:
1) Hardcoded Password for Config File
The script "/usr/zte/zte_conf/scripts/para_backup.sh" contains the hardcoded
password "himan". It is used to prevent tampering with the configuration file.

The initial encrypted configuration can be obtained by logging in and visiting:

OpenSSL 1.0.1:
openssl enc -d -des-ede3-cbc -in <encrypted-config> -out <decrypted-config> -pass pass:himan
OPENSSL 1.1.1:
openssl enc -d -des-ede3-cbc -md md5 -in <encrypted-config> -out <decrypted-config> -pass pass:himan

OpenSSL 1.0.1:
openssl enc -des-ede3-cbc -in <decrypted-config> -out <encrypted-config> -pass pass:himan
OPENSSL 1.1.1:
openssl enc -des-ede3-cbc -md md5 -in <decrypted-config> -out <encrypted-config> -pass pass:himan

2) Config Upload via Cross-Site Request Forgery (CSRF)
Using the hardcoded password one is able to generate valid config files with
malicious settings. The config file can be uploaded by sending the encrypted
config file to "http://$IP/cgi-bin/upload_settings.cgi" while logged in.

A CSRF vulnerability allows the config to be uploaded to the router by visiting
a malicious website when logged in.

3) Stored Cross-Site Scripting (XSS)
By using an intercepting proxy, one is able to inject an XSS payload into the
POST request, resulting in a stored XSS.

POST /goform/goform_set_cmd_process HTTP/1.1
Host: $IP
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://$IP/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 275
Connection: close


Maliciously changing some config values and uploading the tampered config as
explained in section 2) results in a stored XSS as well:

Malicious config excerpt:

4) Multiple Outdated Software Components
The IoT Inspector recognized multiple outdated software components with known

Busybox 1.23.1: 3 CVEs
OpenSSL 1.0.1k: 37 CVEs
Curl 7.21.1: 2 CVEs
Hostapd 2.3: 21 CVEs
Linux Kernel 3.18.20: 191 CVEs
Dnsmasq 2.78: 1 CVE

Vulnerable / tested versions:
The following product/firmware version has been tested:
* ZTE MF253V V1.0.0B04

Vendor contact timeline:
2020-01-16: Sent encrypted advisory to the vendor.
2020-01-17: Vendor confirmed reception of advisory.
2020-02-26: Vendor confirmed vulnerabilities.
2020-03-12: Vendor provided a statement about the outdated software components.
2020-06-03: Vendor prepares a statement about the next steps.
2020-08-04: Telephone call with the vendor. Updates have been released and are
available as a push notification in the web-interface of the router.
Vendor prepares a list of fixed issues for SEC Consult.
2020-08-30: Multiple phone calls with vendor. Release notes delayed due to
sick employees.
2020-09-29: Received release notes of patch.
2020-11-23: Public release of the security advisory.

Upgrade to release: ZTE MF253V V1.0.0B05
- Config Upload via Cross-Site Request Forgery (CSRF)
- Stored Cross-Site Scripting (XSS)
- Hardcoded Password for Config File
- Updated OpenSSL to 1.0.2r
Other software components could not be upgraded.


Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber, S. Robertz / @2020

Login or Register to add favorites

File Archive:

May 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    16 Files
  • 3
    May 3rd
    38 Files
  • 4
    May 4th
    15 Files
  • 5
    May 5th
    35 Files
  • 6
    May 6th
    0 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    8 Files
  • 9
    May 9th
    65 Files
  • 10
    May 10th
    19 Files
  • 11
    May 11th
    27 Files
  • 12
    May 12th
    8 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    1 Files
  • 15
    May 15th
    19 Files
  • 16
    May 16th
    66 Files
  • 17
    May 17th
    28 Files
  • 18
    May 18th
    32 Files
  • 19
    May 19th
    13 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    23 Files
  • 23
    May 23rd
    15 Files
  • 24
    May 24th
    49 Files
  • 25
    May 25th
    20 Files
  • 26
    May 26th
    13 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    11 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By