ZTE Routers Multiple Vulnerabilities

The ZTE ZXV10 W300 router (Shodan search) is really a TP-Link router based on the same interface. According to the manual it has default credentials.

Enter the default user name admin and password admin, and then click the OK button to enter the main page for configuration, as shown in Figure 6.


It also uses RomPager and is vulnerable to the authentication bypass mentioned in previous blogs. Request the /rom-0 binary and reverse it using this tool. The first string is the admin password. Tested on firmware version W300V1.0.0a_ZRD_CO3.

The ZXDSL 831CII from ZTE does not look like a TP-Link router. It’s either their own code or a different vendors. It suffers from the RomPager /rom-0 bypass though.

Software Version = ZXDSL 831CIIV2.2.1a_Z43_MD
ADSL Firmware Version = FwVer: HwVer:T14.F7_7.0


Tags: , ,

4 Responses to “ZTE Routers Multiple Vulnerabilities”

  1. Djeddine Says:

    the is down :p , any author options =D

  2. friendlyfriend Says:

    Here are some details of the rom-0 extraction for the zxv10 model, back in time on abril of 2013 :-O (It’s in spanish though).

  3. friendlyfriend Says:

    sorry… totally forgot the link.
    Here it is: http://pastie.org/7300059

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: