[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Zyxel P-2812HNU-F1 DSL router - command injection
From: Willem de Groot <gwillem () gmail ! com>
Date: 2017-09-28 14:59:20
Message-ID: CAB1_AemGvUOT=emHfby+9r=WRgULK2e=+XzxBjGhUWOVXdAzkg () mail ! gmail ! com
[Download RAW message or body]
Zyxel P-2812HNU-F1 DSL router - command injection
=================================================
The Zyxel P-2812 is common in the Netherlands (KPN/Telfort) and Norway
(Telenor). The Dutch firmware is susceptible to authenticated command
injection
through `qos_queue_add.cgi` and the `WebQueueInterface` parameter.
Affected firmware versions
==========================
V3.11TUE3 (KPN)
V3.11TUE8 (KPN)
Not affected
============
BLN.18 and up (Telenor)
Disclosure timeline
===================
2017-02-05 Notified cert@kpn-cert.nl
2017-02-11 Notified cert@telenor.net
2017-02-15 KPN: "escalated to Zyxel"
2017-02-23 Telenor: "we have fixed this previously in BLN18"
2017-09-28 Public disclosure
Proof of concept code
=====================
Sample code at
http://gwillem.gitlab.io/2017/09/28/hacking-the-zyxel-p-2812hnu-f1/
Observations
============
Security fixes for branded Zyxel firmware are not necessarily implemented
by all OEM clients.
--
Willem de Groot
https://twitter.com/gwillem
https://gwillem.gitlab.io
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic