SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router.
AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It’s also where you can configure AiCloud 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a separate app, or restrict what you can change via mobile devices — you get full access to everything, from any device that can run a web browser”
The vulnerabilities found are:

  • Access bypass
  • Configuration manipulation

Credit
An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Asus were informed of the vulnerabilities and released patches to address them (version 3.0.0.4.384_10007).
For more details: https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/
CVE: CVE-2018-5999 and CVE-2018-6000
(more…)

January 22, 2018 Hack2Win, SecuriTeam Secure Disclosure 10 comments

SSD Advisory – ZTE ZXDSL Configuration Reset

Vulnerability Summary
The following advisory describes a configuration reset vulnerability found in ZTE ZXDSL 831CII version 6.2.
ZXDSL 831CII is “an ADSL access device to support multiple line modes. It supports ADSL2/ADSL2+ and is backward compatible to ADSL, even offers auto-negotiation capability for different flavors (G.dmt, T1.413 Issue 2) according to central office DSLAM’s settings (Digital Subscriber Line Access Multiplexer). It provides four 10/100Base-T Ethernet interfaces at the user end. Utilizing the high-speed ADSL connection, the ZXDSL 831CII can provide users with broadband connectivity to the Internet.”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
ZTE was informed of the vulnerability, their response was: “According to the related product team reply, the affected product 831CII V6.2 has already ended sales and is no longer maintained by ZTE in 2011.
831CII V2.0, the substitute product of 831CII V6.2, has also already been out of the service in 2015.
Right now, 831CII V2.0’s substitute product is ZXHN H108 V2.5.”
(more…)

November 28, 2017 SecuriTeam Secure Disclosure 1 comment