Sign-up

ID

VAR-201411-0113


CVE

CVE-2014-9019


TITLE

ZTE ZXDSL 831CII Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2014-005570

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi. The ZTE 831CII is a router device. ZTE 831CII is prone to the following security vulnerabilities: 1. An HTML-injection vulnerability 2. A cross-site request-forgery vulnerability 3. An unspecified clickjacking vulnerability 4. An information-disclosure vulnerability 5. Other attacks are also possible. ZTE ZXDSL 831CII is an ADSL modem (Modem) product of China ZTE Corporation (ZTE). The vulnerability comes from the fact that the adminpasswd.cgi file does not fully filter the 'sysUserName' and 'sysPassword' parameters when the program executes the save operation. Hardcoded default misconfiguration - The modem comes with admin:admin user credintials. Stored XSS - http://192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home%27;alert%280%29;//&enblUpnp=1&enblLan2=0 Any user browsing to http://192.168.1.1/main.html will have a stored xss executed! CSRF based Stored XSS - http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=%27;alert%280%29;//&sysPassword=37F6E6F627B6 - letting an admin visit this link would result the admin username changed to ';alert(0);// also a stored XSS in the home page. CSRF - there is no token/capcha or even current password prompt when the admin changes the password, and creditintials are sent over GET. PoC: http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=admin&sysPassword=F6C656269697 if an authenticated admin browses that link their credintials will become admin:yibelo UI Redressing - The modem (like most modems) does not have a clickjacking protection. thus, can be used to modify settings, override admin accounts by a simple clickjack. forexample by using http://192.168.1.1/adminpasswd.html it is possible into tricking an admin submit a form with our credintials (since it doesn't require current password) not using SSL - The modem does not use HTTPS, so anyone can use MiTM to sniff on going actions, possibly gain user credintials. Unrestricted privileges - anyone who is connected to the modem with Telnet or tftp is root. simply telneting and authenticating as admin:admin and typing sh and echo $USER would prove that

Trust: 2.61

sources: NVD: CVE-2014-9019 // JVNDB: JVNDB-2014-005570 // CNVD: CNVD-2014-08309 // BID: 70984 // VULHUB: VHN-76964 // PACKETSTORM: 129016

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-08309

AFFECTED PRODUCTS

vendor:ztemodel:zxdslscope:eqversion:831cii

Trust: 2.4

vendor:ztemodel:831ciiscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2014-08309 // JVNDB: JVNDB-2014-005570 // CNNVD: CNNVD-201411-230 // NVD: CVE-2014-9019

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-9019
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-9019
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-08309
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201411-230
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76964
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-9019
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-08309
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-76964
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-08309 // VULHUB: VHN-76964 // JVNDB: JVNDB-2014-005570 // CNNVD: CNNVD-201411-230 // NVD: CVE-2014-9019

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-76964 // JVNDB: JVNDB-2014-005570 // NVD: CVE-2014-9019

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-230

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201411-230

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005570

PATCH
title:Top Pageurl:http://wwwen.zte.com.cn/en/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005570

EXTERNAL IDS
db:NVDid:CVE-2014-9019
Trust: 3.5
db:BIDid:70984
Trust: 2.6
db:PACKETSTORMid:129016
Trust: 1.8
db:JVNDBid:JVNDB-2014-005570
Trust: 0.8
db:CNNVDid:CNNVD-201411-230
Trust: 0.7
db:CNVDid:CNVD-2014-08309
Trust: 0.6
db:XFid:98585
Trust: 0.6
db:VULHUBid:VHN-76964
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-08309 // 
            
            
            
            VULHUB: VHN-76964 // 
            
            
            
            BID: 70984 // 
            
            
            
            JVNDB: JVNDB-2014-005570 // 
            
            
            
            PACKETSTORM: 129016 // 
            
            
            
            CNNVD: CNNVD-201411-230 // 
            
            
            
            NVD: CVE-2014-9019

REFERENCES
url:http://www.securityfocus.com/bid/70984
Trust: 1.7
url:http://packetstormsecurity.com/files/129016/zte-831cii-hardcoded-credential-xss-csrf.html
Trust: 1.7
url:http://www.securityfocus.com/archive/1/archive/1/533930/100/0/threaded
Trust: 1.4
url:http://www.securityfocus.com/archive/1/533930/100/0/threaded
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98585
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9019
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9019
Trust: 0.8
url:http://www.securityfocus.com/bid/70984/
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/98585
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2014-9183
Trust: 0.1
url:http://192.168.1.1/psilan.cgi?action=save&ethipaddress=192.168.1.1&ethsubnetmask=255.255.255.0&hostname=zxdsl83c1ii&domainname=home%27;alert%280%29;//&enblupnp=1&enbllan2=0
Trust: 0.1
url:http://192.168.1.1/adminpasswd.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-9019
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-9020
Trust: 0.1
url:http://192.168.1.1/main.html
Trust: 0.1
url:http://192.168.1.1/adminpasswd.cgi?action=save&sysusername=%27;alert%280%29;//&syspassword=37f6e6f627b6
Trust: 0.1
url:http://192.168.1.1/adminpasswd.cgi?action=save&sysusername=admin&syspassword=f6c656269697
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-08309 // 
            
            
            
            VULHUB: VHN-76964 // 
            
            
            
            JVNDB: JVNDB-2014-005570 // 
            
            
            
            PACKETSTORM: 129016 // 
            
            
            
            CNNVD: CNNVD-201411-230 // 
            
            
            
            NVD: CVE-2014-9019

CREDITS
habte.yibelo
Trust: 0.9
sources:
            
            
            BID: 70984 // 
            
            
            
            CNNVD: CNNVD-201411-230

SOURCES
db:CNVDid:CNVD-2014-08309
db:VULHUBid:VHN-76964
db:BIDid:70984
db:JVNDBid:JVNDB-2014-005570
db:PACKETSTORMid:129016
db:CNNVDid:CNNVD-201411-230
db:NVDid:CVE-2014-9019

LAST UPDATE DATE
2025-04-13T23:26:47.923000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-08309date:2014-11-17T00:00:00
db:VULHUBid:VHN-76964date:2018-10-09T00:00:00
db:BIDid:70984date:2014-12-09T00:55:00
db:JVNDBid:JVNDB-2014-005570date:2014-11-21T00:00:00
db:CNNVDid:CNNVD-201411-230date:2014-11-21T00:00:00
db:NVDid:CVE-2014-9019date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-08309date:2014-11-17T00:00:00
db:VULHUBid:VHN-76964date:2014-11-20T00:00:00
db:BIDid:70984date:2014-11-06T00:00:00
db:JVNDBid:JVNDB-2014-005570date:2014-11-21T00:00:00
db:PACKETSTORMid:129016date:2014-11-07T16:52:33
db:CNNVDid:CNNVD-201411-230date:2014-11-15T00:00:00
db:NVDid:CVE-2014-9019date:2014-11-20T17:50:07.847