The security researcher Pedro Ribeiro disclosed several vulnerabilities in the ZyXEL customized routers that could be easily exploited by hackers.

Details on serious vulnerabilities in a number of routers freely distributed by the TrueOnline Thai ISP were published on Monday after private disclosures made to the vendors in July went unanswered.

The security researcher Pedro Ribeiro from Agile Information Security disclosed multiple flaws in a number of routers distributed by the Thai ISP TrueOnline.

The Thai ISP distributes several rebranded ZyXEL and Billion routers to its customers.

The models ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion 5200W-T contain a number of default administrative accounts and their web interfaces are affected by command injection vulnerabilities. On Monday Ribeiro published a proof of concept exploit, he released Metasploit modules for the exploitation of the vulnerabilities in the routers.

All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers.

“TrueOnline is a major Internet Service Provider in Thailand which distributes various rebranded ZyXEL and Billion routers to its customers. Three router models – ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion 5200W-T – contain a number of default administrative accounts, as well as authenticated and unauthenticated command injection vulnerabilities in their web interfaces, mostly in the syslog remote forwarding function.” reads the advisory. “All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers.”

Ribeiro reported the vulnerabilities via the SecuriTeam Secure Disclosure Program, which notified them to the vendors in July.

The network devices are based on the TC3162U SoC system-on-a-chip manufactured by TrendChip, in particular, flawed routers have two firmware variants called “ras” and “tclinux.”

Riberio discovered security vulnerabilities in the ‘tclinux’ variant, several ASP files in the web interface are affected by command injection attack issues.

“It should be noted that tclinux contains files and configuration settings in other languages (for example in Turkish). Therefore it is likely that these firmware versions are not specific to TrueOnline, and other ISP customised routers in other countries might also be vulnerable,” added Ribeiro. “It is also possible that other brands and router models that use the tclinux variant are also affected by the command injection vulnerabilities (the default accounts are likely to be TrueOnline specific).”

The researcher explained that the majority of the vulnerabilities can be exploited remotely, by both authenticated and unauthenticated attackers.

The ZyXel P660HN-T v1 router is affected by an unauthenticated command injection issue that can be remotely exploited by attackers.

“This router has a command injection vulnerability in the Maintenance > Logs > System Log > Remote System Log forwarding function. The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The following request will cause the router to issue 3 ping requests to 10.0.99.102:

POST /cgi-bin/ViewLog.asp HTTP/1.1

remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bping+-c+3+10.0.99.102%3b%23&remoteSubmit=Save”

The ZyXel P660HN-T V2 router in affected by the same issue, but it can be remotely exploited only by authenticated attackers.

“Unlike in the P660HN-Tv1, the injection is authenticated and in the logSet.asp page. However, this router contains a hardcoded supervisor password (see below) that can be used to exploit this vulnerability. The injection is in the logSet.asp page that sets up remote forwarding of syslog logs, and the parameter vulnerable to injection is the serverIP parameter” states the advisory.

The third router distributed by the Thai ISP is the Billion 5200W-T model, this model is affected by unauthenticated and authenticated command injection issues. According to the researcher a flaw resides in the its adv_remotelog.asp page.

“The Billion 5200W-T router also has several other command injections in its interface, depending on the firmware version, such as an authenticated command injection in tools_time.asp (uiViewSNTPServer parameter),” Ribeiro said. “It should be noted that this router contains several hardcoded administrative accounts that can be used to exploit this vulnerability.”

All the versions use default and weak admin credentials that were remotely accessible.

Pierluigi Paganini

(Security Affairs – ZyXEL customized routers, hacking)

Share this...

Linkedin Reddit Pinterest

Share On