Sign-up

ID

VAR-201411-0114


CVE

CVE-2014-9020


TITLE

ZTE ZXDSL 831 and 831CII of Quick Stats Page cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005571

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Quick Stats page (psilan.cgi) in ZTE ZXDSL 831 and 831CII allows remote attackers to inject arbitrary web script or HTML via the domainname parameter in a save action. NOTE: this issue was SPLIT from CVE-2014-9021 per ADT1 due to different affected products and codebases. The ZTE 831CII is a router device. ZTE 831CII has HTML injection, cross-site request forgery, clickjacking, information disclosure, and unauthorized access vulnerabilities, allowing remote attackers to perform certain administrative operations, execute arbitrary scripts or HTML code in the browser context, or steal cookie-based authentication certificates. ZTE 831CII is prone to the following security vulnerabilities: 1. An HTML-injection vulnerability 2. A cross-site request-forgery vulnerability 3. An unspecified clickjacking vulnerability 4. An information-disclosure vulnerability 5. Other attacks are also possible. Both ZTE ZXDSL 831 and 831CII are ADSL modem (Modem) products of China ZTE Corporation. Hardcoded default misconfiguration - The modem comes with admin:admin user credintials. Stored XSS - http://192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home%27;alert%280%29;//&enblUpnp=1&enblLan2=0 Any user browsing to http://192.168.1.1/main.html will have a stored xss executed! CSRF based Stored XSS - http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=%27;alert%280%29;//&sysPassword=37F6E6F627B6 - letting an admin visit this link would result the admin username changed to ';alert(0);// also a stored XSS in the home page. CSRF - there is no token/capcha or even current password prompt when the admin changes the password, and creditintials are sent over GET. PoC: http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=admin&sysPassword=F6C656269697 if an authenticated admin browses that link their credintials will become admin:yibelo UI Redressing - The modem (like most modems) does not have a clickjacking protection. thus, can be used to modify settings, override admin accounts by a simple clickjack. forexample by using http://192.168.1.1/adminpasswd.html it is possible into tricking an admin submit a form with our credintials (since it doesn't require current password) not using SSL - The modem does not use HTTPS, so anyone can use MiTM to sniff on going actions, possibly gain user credintials. Unrestricted privileges - anyone who is connected to the modem with Telnet or tftp is root. simply telneting and authenticating as admin:admin and typing sh and echo $USER would prove that. # Exploit Title: ZTE ZXDSL 831 Multiple Cross Site Scripting # Date: 11/3/2014 # Exploit Author: Paulos Yibelo # Vendor Homepage: zte.com.cn # Software Link: - # Version: - # Tested on: Windows 7 # CVE :- TR-069 Client page: Stored

Trust: 2.7

sources: NVD: CVE-2014-9020 // JVNDB: JVNDB-2014-005571 // CNVD: CNVD-2014-08309 // BID: 70984 // VULHUB: VHN-76965 // PACKETSTORM: 129016 // PACKETSTORM: 129017

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-08309

AFFECTED PRODUCTS

vendor:ztemodel:zxdsl 831ciiscope:eqversion: -

Trust: 1.6

vendor:ztemodel:zxdsl 831scope:eqversion: -

Trust: 1.6

vendor:ztemodel:zxdsl 831scope: - version: -

Trust: 0.8

vendor:ztemodel:zxdsl 831ciiscope: - version: -

Trust: 0.8

vendor:ztemodel:831ciiscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2014-08309 // JVNDB: JVNDB-2014-005571 // CNNVD: CNNVD-201411-377 // NVD: CVE-2014-9020

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-9020
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-9020
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-08309
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201411-377
value: MEDIUM

Trust: 0.6

VULHUB: VHN-76965
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-9020
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-08309
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-76965
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2014-08309 // VULHUB: VHN-76965 // JVNDB: JVNDB-2014-005571 // CNNVD: CNNVD-201411-377 // NVD: CVE-2014-9020

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-76965 // JVNDB: JVNDB-2014-005571 // NVD: CVE-2014-9020

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-377

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 129017 // CNNVD: CNNVD-201411-377

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005571

PATCH
title:Top Pageurl:http://wwwen.zte.com.cn/en/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005571

EXTERNAL IDS
db:NVDid:CVE-2014-9020
Trust: 3.6
db:BIDid:70984
Trust: 2.6
db:PACKETSTORMid:129017
Trust: 1.8
db:PACKETSTORMid:129016
Trust: 1.8
db:BIDid:70985
Trust: 1.7
db:JVNDBid:JVNDB-2014-005571
Trust: 0.8
db:CNNVDid:CNNVD-201411-377
Trust: 0.7
db:CNVDid:CNVD-2014-08309
Trust: 0.6
db:BUGTRAQid:20141106 ZTE 831CII MULTIPLE VULNERABLITIES
Trust: 0.6
db:XFid:98584
Trust: 0.6
db:VULHUBid:VHN-76965
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-08309 // 
            
            
            
            VULHUB: VHN-76965 // 
            
            
            
            BID: 70984 // 
            
            
            
            JVNDB: JVNDB-2014-005571 // 
            
            
            
            PACKETSTORM: 129016 // 
            
            
            
            PACKETSTORM: 129017 // 
            
            
            
            CNNVD: CNNVD-201411-377 // 
            
            
            
            NVD: CVE-2014-9020

REFERENCES
url:http://www.securityfocus.com/bid/70984
Trust: 1.7
url:http://www.securityfocus.com/bid/70985
Trust: 1.7
url:http://packetstormsecurity.com/files/129016/zte-831cii-hardcoded-credential-xss-csrf.html
Trust: 1.7
url:http://packetstormsecurity.com/files/129017/zte-zxdsl-831-cross-site-scripting.html
Trust: 1.7
url:http://www.securityfocus.com/archive/1/archive/1/533930/100/0/threaded
Trust: 1.4
url:http://www.securityfocus.com/archive/1/archive/1/533931/100/0/threaded
Trust: 1.4
url:http://www.securityfocus.com/archive/1/533930/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/533931/100/0/threaded
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98584
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9020
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9020
Trust: 0.8
url:http://www.securityfocus.com/bid/70984/
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/98584
Trust: 0.6
url:http://192.168.1.1/psilan.cgi?action=save&ethipaddress=192.168.1.1&ethsubnetmask=255.255.255.0&hostname=zxdsl83c1ii&domainname=home%27;alert%280%29;//&enblupnp=1&enbllan2=0
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2014-9020
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2014-9183
Trust: 0.1
url:http://192.168.1.1/adminpasswd.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-9019
Trust: 0.1
url:http://192.168.1.1/main.html
Trust: 0.1
url:http://192.168.1.1/adminpasswd.cgi?action=save&sysusername=%27;alert%280%29;//&syspassword=37f6e6f627b6
Trust: 0.1
url:http://192.168.1.1/adminpasswd.cgi?action=save&sysusername=admin&syspassword=f6c656269697
Trust: 0.1
url:http://192.168.1.1/tr69cfg.cgi?tr69cinformenable=1&tr69cinforminterval=43200&tr69cacsurl=http://acs.site.et:9090/web/tr069&tr69cacsuser=cpe&tr69cacspwd=cpe&tr69cconnrequser=itms&tr69cconnreqpwd=itms%27;alert%280%29;//&tr69cnoneconnreqauth=0&tr69cdebugenable=0%27;alert%280%29;//
Trust: 0.1
url:http://192.168.1.1/tr69cfg.html
Trust: 0.1
url:http://192.168.1.1/tr69cfg.cgi?tr69cinformenable=1&tr69cinforminterval=43200&tr69cacsurl=http://acs.site.et:9090/web/tr069&tr69cacsuser=cpe%27;alert%280%29;//&tr69cacspwd=cpe&tr69cconnrequser=itms&tr69cconnreqpwd=itms&tr69cnoneconnreqauth=0&tr69cdebugenable=0
Trust: 0.1
url:http://192.168.1.1/tr69cfg.cgi?tr69cinformenable=1&tr69cinforminterval=43200&tr69cacsurl=http://acs.etc.et:9090/web/tr069%27;alert%280%29;//&tr69cacsuser=cpe&tr69cacspwd=cpe&tr69cconnrequser=itms&tr69cconnreqpwd=itms&tr69cnoneconnreqauth=0&tr69cdebugenable=0
Trust: 0.1
url:http://192.168.1.1/tr69cfg.cgi?tr69cinformenable=1&tr69cinforminterval=43200&tr69cacsurl=http://acs.site.et:9090/web/tr069&tr69cacsuser=cpe&tr69cacspwd=cpe%27;alert%280%29;//&tr69cconnrequser=itms&tr69cconnreqpwd=itms&tr69cnoneconnreqauth=0&tr69cdebugenable=0
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-9021
Trust: 0.1
url:http://192.168.1.1/sntpcfg.sntp?ntp_enabled=0&tmyear=2000%27lol&tmmonth=01&tmday=01&tmhour=00&tmminute=30&timezone_offset=+08:00&timezone=beijing,%20chongqing,%20hong%20kong,%20urumqi%22;alert%280%29;//&use_dst=0&enbllightsaving=0
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-08309 // 
            
            
            
            VULHUB: VHN-76965 // 
            
            
            
            JVNDB: JVNDB-2014-005571 // 
            
            
            
            PACKETSTORM: 129016 // 
            
            
            
            PACKETSTORM: 129017 // 
            
            
            
            CNNVD: CNNVD-201411-377 // 
            
            
            
            NVD: CVE-2014-9020

CREDITS
habte.yibelo
Trust: 0.3
sources:
            
            
            BID: 70984

SOURCES
db:CNVDid:CNVD-2014-08309
db:VULHUBid:VHN-76965
db:BIDid:70984
db:JVNDBid:JVNDB-2014-005571
db:PACKETSTORMid:129016
db:PACKETSTORMid:129017
db:CNNVDid:CNNVD-201411-377
db:NVDid:CVE-2014-9020

LAST UPDATE DATE
2025-04-13T23:26:48.025000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-08309date:2014-11-17T00:00:00
db:VULHUBid:VHN-76965date:2018-10-09T00:00:00
db:BIDid:70984date:2014-12-09T00:55:00
db:JVNDBid:JVNDB-2014-005571date:2014-11-21T00:00:00
db:CNNVDid:CNNVD-201411-377date:2014-11-21T00:00:00
db:NVDid:CVE-2014-9020date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-08309date:2014-11-17T00:00:00
db:VULHUBid:VHN-76965date:2014-11-20T00:00:00
db:BIDid:70984date:2014-11-06T00:00:00
db:JVNDBid:JVNDB-2014-005571date:2014-11-21T00:00:00
db:PACKETSTORMid:129016date:2014-11-07T16:52:33
db:PACKETSTORMid:129017date:2014-11-07T16:56:04
db:CNNVDid:CNNVD-201411-377date:2014-11-21T00:00:00
db:NVDid:CVE-2014-9020date:2014-11-20T17:50:08.973