wr3nchsr
Posts Vulnerabilities
wr3nchsr

Contents

ZTE Routers HTTPD Vulnerabilities Avisory 2024

   691 words 

Summary

This advisory shows the results of a vulnerability research which was conducted on multiple ZTE router models (listed below). As a result of this research 4 vulnerabilities were identified (CVE-2024-45413, CVE-2024-45414, CVE-2024-45415, CVE-2024-45416). These vulnerabilities can allow an attacker having access to the HTTP server of the router to gain RCE as root under different conditions.

Vulnerabilities

Stack-based Buffer Overflow in check_data_integrity Function

CVE ID: CVE-2024-45415

CVSS Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Category: CWE-121: Stack-based Buffer Overflow

The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in check_data_integrity function. This function is responsible for validating the checksum of data in post request. The checksum is sent encrypted in the request, the function decrypts it and stores the checksum on the stack without validating it. An unauthenticated attacker can get RCE as root by exploiting this vulnerability.

Stack-based Buffer Overflow in webPrivateDecrypt Function

CVE ID: CVE-2024-45414

CVSS Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Category: CWE-121: Stack-based Buffer Overflow

The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in webPrivateDecrypt function. This function is responsible for decrypting RSA encrypted ciphertext, the encrypted data is supplied base64 encoded. The decoded ciphertext is stored on the stack without checking its length. An unauthenticated attacker can get RCE as root by exploiting this vulnerability.

Stack-based Buffer Overflow in rsa_decrypt Function

CVE ID: CVE-2024-45413

CVSS Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Category: CWE-121: Stack-based Buffer Overflow

The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in rsa_decrypt function. This function is an API wrapper for LUA to decrypt RSA encrypted ciphertext, the decrypted data is stored on the stack without checking its length. An authenticated attacker can get RCE as root by exploiting this vulnerability.

Local File Inclusion

CVE ID: CVE-2024-45416

CVSS Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Category: CWE-829: Inclusion of Functionality from Untrusted Control Sphere

The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates on all files in this directory and executes them using the function dofile without any validation if it is a valid session file or not. An attacker who is able to write a malicious file in the sessions directory can get RCE as root.

Affected Systems

These vulnerabilities were discovered/verified on the models and versions listed below. However, they may affect other models and versions. Please refer to ZTE for clarification on vulnerable models and/or versions.

Router ModelFirmware VersionStatus at Time of Report
ZXHN H168A V2.1TTN.1T1_211029Supported
ZXHN H168N V3.5V3.5.5_CO.1T1Supported
ZXHN H338A V1.5V1.5.0_H3A.1T9P1-oSupported
ZXHN E1600 V1.0V1.0.0.2B1.1000Supported
ZXHN E2618 V1.0V1.0.0.2B4.3000Supported
ZXHN E2603 V1.0V1.0.1Supported
ZXHN E2615 V1.0V1.0.1Supported
ZXHN H108N V2.6V2.6.20.ROST12EOS
ZXHN E500 V1.0V1.0.1.1B2.1000EOS
ZXHN Z500 V1.0V1.0.1.1B2.1000EOS

Disclosure Timeline

  • Reported to Vendor: February 20, 2024
  • Vendor triaged the vulnerabilities: March 03, 2024
  • Trivial reward from the vendor: March 11, 2024
  • Vendor decide not to fix nor disclose: April 18, 2024
  • MITRE assigned CVE IDs: August 29, 2024
  • Disclosure: September 10, 2024

Acknowledgement

Saif Aziz (@wr3nchsr) of CyShield

Disclaimer

CYSHIELD FOR TECHNOLOGY S.A.E (CYSHIELD) are keen to share our expertise widely and to enrich public knowledge, through disseminating cyber security culture awareness. CYSHEILD relies on information provided by the vendor / product manufacturer when listing fixed versions, products or releases. CYSHIELD does not verify this contained information, except otherwise when specifically stipulated in the advisory text and contractually required or explicitly agreed in a written form by the vendor / product manufacturer to undertake as such. Unconfirmed vendor / product manufacturer fixes might be ineffective, incomplete, inaccurate or easy to bypass and it is the vendor’s / product manufacturer’s liability to ensure all the discovered vulnerabilities found by CYSHIELD are resolved properly. CYSHIELD accepts zero liability, financial or otherwise, from any material and consequential losses, loss of life or reputational loss arising from or as a result of misuse of the information or code contained or mentioned in its advisories. It is the vendor’s / product manufacturer’s liability not CYSHIELD to ensure their products’ security before, during and after release to market.

Updated on Sep 10, 2024
Back | Home