Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Zyxel P-2812HNU-F1 DSL router - command injection

From: Willem de Groot <gwillem () gmail com>
Date: Thu, 28 Sep 2017 16:59:20 +0200
Zyxel P-2812HNU-F1 DSL router - command injection
=================================================
The Zyxel P-2812 is common in the Netherlands (KPN/Telfort) and Norway
(Telenor). The Dutch firmware is susceptible to authenticated command
injection
through `qos_queue_add.cgi` and the `WebQueueInterface` parameter.

Affected firmware versions
==========================
V3.11TUE3 (KPN)
V3.11TUE8 (KPN)

Not affected
============
BLN.18 and up (Telenor)

Disclosure timeline
===================
2017-02-05 Notified cert () kpn-cert nl
2017-02-11 Notified cert () telenor net
2017-02-15 KPN: "escalated to Zyxel"
2017-02-23 Telenor: "we have fixed this previously in BLN18"
2017-09-28 Public disclosure

Proof of concept code
=====================
Sample code at
http://gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/

Observations
============
Security fixes for branded Zyxel firmware are not necessarily implemented
by all OEM clients.


--
Willem de Groot
https://twitter.com/gwillem
https://gwillem.gitlab.io

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: