*ZTE ADSL modems - Multiple vulnerabilities*

Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57
and W300V2.1.0h_ER7_PE_O57*

1 *Insufficient authorization controls*

*CVE-ID*: CVE-2015-7257

Observed in Password Change functionality. Other functions may be
vulnerable as well.

*Expected behavior:*

Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.

*Vulnerability:*

Any non-admin user can change 'admin' password.


*Steps to reproduce:*

a. Login as user 'support' password XXX

b. Access Password Change page - https://<IP>/password.htm

c. Submit request

d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
'admin'

e. Enter the new password ­> old password is not requested ­> Submit

­> Login as admin

-> Pwn!



2 *Sensitive information disclosure - clear-text passwords*

Displaying user information over Telnet connection, shows all valid users
and their passwords in clear­-text.

*CVE-ID*: CVE-2015-7258

*Steps to reproduce:*

$ telnet <IP>

Trying <IP>...

Connected to <IP>.

Escape character is '^]'.

User Access Verification

Username: admin

Password: <­­­ admin/XXX1

$sh

ADSL#login show                 <--­­­ shows user information

Username Password Priority

admin        password1 2

support      password2 0

admin         password3 1



3 *(Potential) Backdoor account feature - **insecure account management*

Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.

*CVE-ID*: CVE-2015-7259

It is considered as a (redundant) login support *feature*.


*Steps to reproduce:*

$ telnet <IP>

Trying <IP>...

Connected to <IP>.

Escape character is '^]'.

User Access Verification

User Access Verification

Username: admin

Password: <­--­­ admin/password3

$sh

ADSL#login show

Username  Password  Priority

admin  password1  2

support  password2  0

admin  password3  1

+++++

Best Regards,

Karn Ganeshen
-- 
Best Regards,
Karn Ganeshen