lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAnZqX-k2V4p=2jo=91JnGpB9smA37AoAOx3_fwjXSXCXuUJ1Q@mail.gmail.com>
Date: Tue, 28 Nov 2017 15:23:34 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – ZTE ZXDSL Configuration Reset

SSD Advisory – ZTE ZXDSL Configuration Reset

Full report: https://blogs.securiteam.com/index.php/archives/3546
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerability Summary
The following advisory describes a configuration reset vulnerability found
in ZTE ZXDSL 831CII version 6.2.

ZXDSL 831CII is “an ADSL access device to support multiple line modes. It
supports ADSL2/ADSL2+ and is backward compatible to ADSL, even offers
auto-negotiation capability for different flavors (G.dmt, T1.413 Issue 2)
according to central office DSLAM’s settings (Digital Subscriber Line
Access Multiplexer). It provides four 10/100Base-T Ethernet interfaces at
the user end. Utilizing the high-speed ADSL connection, the ZXDSL 831CII
can provide users with broadband connectivity to the Internet.”

Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
ZTE was informed of the vulnerability, their response was: “According to
the related product team reply, the affected product 831CII V6.2 has
already ended sales and is no longer maintained by ZTE in 2011.

831CII V2.0, the substitute product of 831CII V6.2, has also already been
out of the service in 2015.

Right now, 831CII V2.0’s substitute product is ZXHN H108 V2.5.”

Vulnerability details
User controlled input is not sufficiently sanitized and allows
unauthenticated user to send a GET request to /resetrouter.cgi with
parameter lanRefresh=0

Successful exploitation of this vulnerability enables a remote
unauthenticated user to restart the configuration of the device.
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Download attachment "SSD Advisory – ZTE ZXDSL Configuration Reset.pdf" of type "application/pdf" (104268 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ