bug in ZTE ZXHN H108N - Githubissues

threat9 / routersploit

Exploitation Framework for Embedded Devices

Other

12.21k stars 2.32k forks source link

bug in ZTE ZXHN H108N #588

Closed sasatefa2009 closed 5 years ago

sasatefa2009 commented 5 years ago

Steps to Reproduce

go to 192.168.1.1/wizard_wlan_t.gch

Current Behavior

a bug in ZTE ZXHN H108N (and its versions) that allows any connected user to change the wifi pass without having to log in or to have and credentials. User only have to go to link above.

CopyQ lN1036

idk how routersploit check router model but router login page has the following head tag in html ZXHN H108N V2.5

lucyoa commented 5 years ago

Could you please sent us the html source of that page: /wizard_wlan_t.gch. Just change Name SSID and passphrase in the source to something like "SSID Name", and "Password".

It seems that exploitation of this vulnerability is pretty straightforward.

sasatefa2009 commented 5 years ago

@lucyoa here is the source

SSID is in line 252 Password is in line 83

source.zip

lucyoa commented 5 years ago

I have implemented module for this vulnerability: #590. Can you please check it out? Thanks :)

sasatefa2009 commented 5 years ago

hello @lucyoa , the exploit works very well for retrieving the SSID and Password, except for something. the exploit is not meant in the first place for password disclosure but i also could change the password and SSID, plus, everything in the picture above.

it might be a good idea of not letting routersploit handle any information change and let the user do so through his browser, adding this message after the disclosure would be enough

" Furthermore, You can also navigate to target.ip/wizard_wlan_t.gch to change your Wi-Fi Credentials "

Secondly, also i found out that i cant set target with https e.g. (https://192.168.1.1), and that's what i get when i do this.

rsf (ZTE ZXHN H108N Wifi Password Disclosure) > set target https://192.168.1.1/
[-] Invalid address. Provided address is not valid IPv4 or IPv6 address.

sasatefa2009 commented 5 years ago

@lucyoa i also found a bug while running the scanners/autopwn

[-] 192.168.1.1:80 http creds/cameras/axis/webinterface_http_auth_default_creds is not vulnerable
Exception in thread thread-7:
Traceback (most recent call last):
  File "/usr/lib/python3.7/threading.py", line 917, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.7/threading.py", line 865, in run
    self._target(*self._args, **self._kwargs)
  File "/root/Downloads/routersploit-clone/routersploit/modules/creds/generic/telnet_default.py", line 53, in target_function
    username, password = data.next().split(":")
ValueError: too many values to unpack (expected 2)

[-] 192.168.1.1:23 telnet creds/generic/telnet_default is not vulnerable

but good news it was detected at the end as vulnerable

[+] 192.168.1.1 Device is vulnerable:

   Target          Port     Service     Exploit                                                      
   ------          ----     -------     -------                                                      
   192.168.1.1     80       http        exploits/routers/zte/zxhn_h108n_wifi_password_disclosure     

[-] 192.168.1.1 Could not find default credentials

minanagehsalalma commented 4 years ago

@sasatefa2009 Where did you find that page as i can't find it in the router firmware files and it's not there in the router page ... i can only access it using the url.

@lucyoa i think it's there in another isp router with the same model with a different url... how can i find it if it's not in the firmware files ? Can you do it using emulation if i sent you the firmware?