10 Ekim 2020 Cumartesi

ZTE MF286R Modem Session Hijacking - Broken Authantication and Session Management (0-Day)

Selam, Hello All,

While I was researching vulnerability on ZTE MF286R Mobile Modem on behalf of my customer, I have discovered a weaknesses on modem web management panel.
Here the details:

Product: ZTE MF286R Version: ZTE MF286R-1.0  (I have not tested other versions or modems)

Vulnerability Category: https://cwe.mitre.org/data/definitions/930.html
Broken Authantication and Session Management
An attacker can hijack the session of logged-in user by using brute-force method.

When I examined the “zwsd” cookie/session value, I thought that it is encrypted with MD5 function.

ZTE MF286R-1.0 Modem Administrator zwsd Session Id is Using MD5 Weak Algorithm


 I have tried to crack it via wordlist and it was simply cracked.

The value “ba9a56ce0a9bfa26e8ed9e10b2cc8f46” was: 1876

zwsd Value Has Been Cracked with a successful dictionary brute-force attack

 

After re-logged-in the application, it has created a new weak digit numbers by encrypting md5 function like md5(11834) , md5(11506) etc…

So when I see the results, I have decided that it was easy to hijack a user session. Because when a user logged-in to the web management panel, I can brute session value by using burp-suite proxy tool easily.

Here the burp suite intruder module settings:

 

Burp Suite Settings For Attacking Administrator Login

A few seconds later, it has succesfully hijacked the user session value md5(4738) namely c2e06e9a80370952f6ec5463c77cbace

So I can define this cookie value in the browser and succesfully logged-in application, or send malwormed requests to modem web application.

 

Administrator Session Hijacked

Since I could not get response to the email I sent to ZTE Corp on 10 October 2020 , I decided to share it.

Regards

Emrullah Akdemir

CEO - TRYSEC Corp.