Details of VAR-201412-0408

ID

VAR-201412-0408

CVE

CVE-2014-9183

TITLE

ZTE ZXDSL 831CII Vulnerabilities in which administrator privileges are obtained

Trust: 0.8

sources: JVNDB: JVNDB-2014-005732

DESCRIPTION

ZTE ZXDSL 831CII has a default password of admin for the admin account, which allows remote attackers to gain administrator privileges. ZXDSL831 is an ADSL modem produced by ZTE Corporation. It is a modem with routing function, which can be called a cat routing machine. ZTE 831CII is prone to the following security vulnerabilities: 1. An HTML-injection vulnerability 2. A cross-site request-forgery vulnerability 3. An unspecified clickjacking vulnerability 4. An information-disclosure vulnerability 5. An unauthorized-access vulnerability Exploiting these issues may allow a remote attacker to perform certain administrative actions, execute arbitrary script or HTML code within the context of the browser, and steal cookie-based authentication credentials, gain unauthorized access, perform a man-in-the-middle attack to obtain sensitive information or compromise the affected device. Other attacks are also possible. Hardcoded default misconfiguration - The modem comes with admin:admin user credintials. Stored XSS - http://192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home%27;alert%280%29;//&enblUpnp=1&enblLan2=0 Any user browsing to http://192.168.1.1/main.html will have a stored xss executed! CSRF based Stored XSS - http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=%27;alert%280%29;//&sysPassword=37F6E6F627B6 - letting an admin visit this link would result the admin username changed to ';alert(0);// also a stored XSS in the home page. CSRF - there is no token/capcha or even current password prompt when the admin changes the password, and creditintials are sent over GET. PoC: http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=admin&sysPassword=F6C656269697 if an authenticated admin browses that link their credintials will become admin:yibelo UI Redressing - The modem (like most modems) does not have a clickjacking protection. thus, can be used to modify settings, override admin accounts by a simple clickjack. forexample by using http://192.168.1.1/adminpasswd.html it is possible into tricking an admin submit a form with our credintials (since it doesn't require current password) not using SSL - The modem does not use HTTPS, so anyone can use MiTM to sniff on going actions, possibly gain user credintials. Unrestricted privileges - anyone who is connected to the modem with Telnet or tftp is root. simply telneting and authenticating as admin:admin and typing sh and echo $USER would prove that

Trust: 2.61

sources: NVD: CVE-2014-9183 // JVNDB: JVNDB-2014-005732 // CNVD: CNVD-2014-08707 // BID: 70984 // VULHUB: VHN-77128 // PACKETSTORM: 129016

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-08707

AFFECTED PRODUCTS

vendor:	zte	model:	zxdsl	scope:	eq	version:	831cii	Trust: 1.6
vendor:	zte	model:	zxdsl 831cii	scope:	-	version:	-	Trust: 0.8
vendor:	zte	model:	zxdsl	scope:	eq	version:	831	Trust: 0.6

sources: CNVD: CNVD-2014-08707 // JVNDB: JVNDB-2014-005732 // CNNVD: CNNVD-201412-040 // NVD: CVE-2014-9183

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-9183
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-9183
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-08707
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201412-040
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-77128
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-9183
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-08707
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-77128
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-08707 // VULHUB: VHN-77128 // JVNDB: JVNDB-2014-005732 // CNNVD: CNNVD-201412-040 // NVD: CVE-2014-9183

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-77128 // JVNDB: JVNDB-2014-005732 // NVD: CVE-2014-9183

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201412-040

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201412-040

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005732

PATCH

title:

ZXDSL 831CII

url:

http://wwwen.zte.com.cn/pub/en/products/access/cpe/201111/t20111110_262350.html

Trust: 0.8

sources: JVNDB: JVNDB-2014-005732

EXTERNAL IDS

db:	NVD	id:	CVE-2014-9183	Trust: 3.5
db:	PACKETSTORM	id:	129016	Trust: 3.2
db:	JVNDB	id:	JVNDB-2014-005732	Trust: 0.8
db:	CNNVD	id:	CNNVD-201412-040	Trust: 0.7
db:	CNVD	id:	CNVD-2014-08707	Trust: 0.6
db:	BID	id:	70984	Trust: 0.3
db:	VULHUB	id:	VHN-77128	Trust: 0.1

sources: CNVD: CNVD-2014-08707 // VULHUB: VHN-77128 // BID: 70984 // JVNDB: JVNDB-2014-005732 // PACKETSTORM: 129016 // CNNVD: CNNVD-201412-040 // NVD: CVE-2014-9183

REFERENCES

url:	http://packetstormsecurity.com/files/129016/zte-831cii-hardcoded-credential-xss-csrf.html	Trust: 3.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-9183	Trust: 1.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9183	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2014-9183	Trust: 0.1
url:	http://192.168.1.1/psilan.cgi?action=save&ethipaddress=192.168.1.1&ethsubnetmask=255.255.255.0&hostname=zxdsl83c1ii&domainname=home%27;alert%280%29;//&enblupnp=1&enbllan2=0	Trust: 0.1
url:	http://192.168.1.1/adminpasswd.html	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-9019	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-9020	Trust: 0.1
url:	http://192.168.1.1/main.html	Trust: 0.1
url:	http://192.168.1.1/adminpasswd.cgi?action=save&sysusername=%27;alert%280%29;//&syspassword=37f6e6f627b6	Trust: 0.1
url:	http://192.168.1.1/adminpasswd.cgi?action=save&sysusername=admin&syspassword=f6c656269697	Trust: 0.1

sources: CNVD: CNVD-2014-08707 // VULHUB: VHN-77128 // JVNDB: JVNDB-2014-005732 // PACKETSTORM: 129016 // CNNVD: CNNVD-201412-040 // NVD: CVE-2014-9183

CREDITS

habte.yibelo

Trust: 0.3

sources: BID: 70984

SOURCES

db:	CNVD	id:	CNVD-2014-08707
db:	VULHUB	id:	VHN-77128
db:	BID	id:	70984
db:	JVNDB	id:	JVNDB-2014-005732
db:	PACKETSTORM	id:	129016
db:	CNNVD	id:	CNNVD-201412-040
db:	NVD	id:	CVE-2014-9183

LAST UPDATE DATE

2025-04-12T23:04:56.518000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-08707	date:	2014-12-04T00:00:00
db:	VULHUB	id:	VHN-77128	date:	2014-12-03T00:00:00
db:	BID	id:	70984	date:	2014-12-09T00:55:00
db:	JVNDB	id:	JVNDB-2014-005732	date:	2014-12-03T00:00:00
db:	CNNVD	id:	CNNVD-201412-040	date:	2014-12-03T00:00:00
db:	NVD	id:	CVE-2014-9183	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-08707	date:	2014-12-04T00:00:00
db:	VULHUB	id:	VHN-77128	date:	2014-12-02T00:00:00
db:	BID	id:	70984	date:	2014-11-06T00:00:00
db:	JVNDB	id:	JVNDB-2014-005732	date:	2014-12-03T00:00:00
db:	PACKETSTORM	id:	129016	date:	2014-11-07T16:52:33
db:	CNNVD	id:	CNNVD-201412-040	date:	2014-12-03T00:00:00
db:	NVD	id:	CVE-2014-9183	date:	2014-12-02T18:59:01.277