SSD Advisory – ZTE ZXR10 Router Multiple Vulnerabilities

Vulnerabilities summary
The following advisory describes five (5) vulnerabilities found in ZTE ZXR10 Router.
ZXR10 ZSR V2 series router is “the next generation intelligent access router product of ZTE, which integrates routing, switching, wireless, security, and VPN gateway. The product adopts industry-leading hardware platform and software architecture to provide an intelligent and flexible platform for building efficient, reliable, flexible, and maintainable enterprise intelligence networks.”
The vulnerabilities found are:

  • Hard-coded credentials
  • Arbitrary file upload
  • Authentication bypass
  • Arbitrary file read
  • Unauthorized configuration file download

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
The vendor has released patches to address these vulnerabilities.
For more details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10931
CVE: CVE-2017-10931

Vulnerabilities details
Hard-coded credentials
Username: who
Password: who
Username: zte
Password: zte
Username: ncsh
Password: ncsh
Arbitrary file upload
A user that has logged in can upload malicious configuration file.
Usually, when a user tries to upload a file via web interface (“System Maintenance -> Configuration Management -> Loads specified system configuration” web interface) there is a limit to which filename can be used.

The filename limitation is forced by the web interface (front-end), by modifying the POST request using proxy (burp for example):

We can bypass this restriction.
In addition, after we uploaded a file, we can modify the startrun.dat to startrun.txt.
We can do that by going to System Maintenance -> Configuration Management -> Back up system settings and send the following POST request:

Authentication bypass
One of the ways ZTE ZXR10 web server distinguish between Administrator and regular user is by adding in the user cookie ‘authority’ parameter.

authority=2 for Admin
authority=1 for User

Admin

User

A user can only view the basic information:

If a user will edit the content of the cookie (‘authority’ parameter) he could log as an administrator:

We will refresh the page and page see that we logged as administrator. Now we can download the configuration file the the list of users and passwords:

Arbitrary file read
An authenticated user can send a ping from the web interface (System Maintenance -> Diagnostic Tools).
The GET request is vulnerable and can be modify to read the arbitrary files.
Successful exploitation of this vulnerability enables a remote authenticated user to read the content of any file existing on the host, this includes files located outside of the web root folder.
Original GET request:

Modified request:

Server response:

Unauthorized configuration file download
Users do not have permission to download the configuration file.
By sending the following POST request, any logged user can download the configuration file:

replace the SESSIONID to the current login value, note that, authotiry no need to change, and then successfully download the configuration file: