*ZTE ADSL modems - Multiple vulnerabilities* Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57* 1 *Insufficient authorization controls* *CVE-ID*: CVE-2015-7257 Observed in Password Change functionality. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Vulnerability:* Any non-admin user can change 'admin' password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http:///password.htm c. Submit request d. Intercept and Tamper the parameter username change from 'support' to 'admin' e. Enter the new password > old password is not requested > Submit > Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* Displaying user information over Telnet connection, shows all valid users and their passwords in clear-text. *CVE-ID*: CVE-2015-7258 *Steps to reproduce:* $ telnet Trying ... Connected to . Escape character is '^]'. User Access Verification Username: admin Password: < admin/XXX1 $sh ADSL#login show <-- shows user information Username Password Priority admin password1 2 support password2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. *CVE-ID*: CVE-2015-7259 It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet Trying ... Connected to . Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <-- admin/password3 $sh ADSL#login show Username Password Priority admin password1 2 support password2 0 admin password3 1 +++++ Best Regards, Karn Ganeshen -- Best Regards, Karn Ganeshen