lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 16:59:20 +0200
From: Willem de Groot <gwillem@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] Zyxel P-2812HNU-F1 DSL router - command injection

Zyxel P-2812HNU-F1 DSL router - command injection
=================================================
The Zyxel P-2812 is common in the Netherlands (KPN/Telfort) and Norway
(Telenor). The Dutch firmware is susceptible to authenticated command
injection
through `qos_queue_add.cgi` and the `WebQueueInterface` parameter.

Affected firmware versions
==========================
V3.11TUE3 (KPN)
V3.11TUE8 (KPN)

Not affected
============
BLN.18 and up (Telenor)

Disclosure timeline
===================
2017-02-05 Notified cert@...-cert.nl
2017-02-11 Notified cert@...enor.net
2017-02-15 KPN: "escalated to Zyxel"
2017-02-23 Telenor: "we have fixed this previously in BLN18"
2017-09-28 Public disclosure

Proof of concept code
=====================
Sample code at
http://gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/

Observations
============
Security fixes for branded Zyxel firmware are not necessarily implemented
by all OEM clients.


--
Willem de Groot
https://twitter.com/gwillem
https://gwillem.gitlab.io

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists