PDA

Bekijk Volledige Versie : Router ZyXEL Prestige 650 HW http remote admin.



Francisco Josť Canela
22/11/04, 23:05
Hi, I found a bug in ZyXEL Prestige 650 HW Routers with Http Remote Administration active.

Exploting this bug, the attacker can reset the router configurantion.

The "/rpFWUpload.html" is not password protected. To exploit this bug you only need write that:

http://[Router ip]/rpFWUpload.html

and click the Reset button.


Sorry if this post is misspelling... but I'm from Spain and my english level is poor...

____________
Francisco Josť Canela

Hugo van der Kooij
24/11/04, 05:45
On Sun, 21 Nov 2004, Francisco Jos=E9 Canela wrote:

>
> Hi, I found a bug in ZyXEL Prestige 650 HW Routers with Http Remote Admin=
istration active.

=2E..

Could you include relevant details? Like:

Which firmware?

What have you done in regard to sending a bug report to Zyxel? No point
in bugging them again if you have done so allready and are making progress
towards a solution. But if they sit idle with this information other here
might want to bother Zyxel for a solution.

Hugo.

--=20
=09I hate duplicates. Just reply to the relevant mailinglist.
=09hvdkooij@vanderkooij.org=09=09http://hvdkooij.xs4all.nl/
=09=09Don't meddle in the affairs of magicians,
=09=09for they are subtle and quick to anger.

Steve Clement
25/11/04, 23:25
Francisco Josť Canela wrote:

>Hi, I found a bug in ZyXEL Prestige 650 HW Routers with Http Remote Administration active.
>
>
>
Prestige 623/652 are also vulnerable which is very sad, have you
contacted Zyxel about it? If so, how patient have you been?
This is really annoying because it is really easy to "exploit" and
without a working firmware I will have to disable the Web Management on
all my remote clients because it is "usuallly" on by default.

jeers,

Steve C

>Exploting this bug, the attacker can reset the router configurantion.
>
>The "/rpFWUpload.html" is not password protected. To exploit this bug you only need write that:
>
>http://[Router ip]/rpFWUpload.html
>
>and click the Reset button.
>
>
>Sorry if this post is misspelling... but I'm from Spain and my english level is poor...
>
>

Laurent Papier
26/11/04, 00:25
On Tue, 23 Nov 2004 01:02:39 +0100 (CET)
Hugo van der Kooij <hvdkooij@vanderkooij.org> wrote:

> On Sun, 21 Nov 2004, Francisco Jos=E9 Canela wrote:
>=20
> >
> > Hi, I found a bug in ZyXEL Prestige 650 HW Routers with Http Remote Adm=
inistration active.
>=20
> ...
>=20
> Could you include relevant details? Like:
>=20
> Which firmware?

I can confirm the problem on this model:
Prestige 645R-A1, ZyNOS S/W Version: V3.40(GJ.4)| 4/12/2004.

$ curl -I zyxel/rpFWUpload.html
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 24 Nov 2004 11:30:02 GMT
Pragma: no-cache
Expires: Thu, 26 Oct 1995 00:00:00 GMT
Transfer-Encoding: chunked
Server: RomPager/4.07 UPnP/1.0

--=20
Laurent Papier - 03 88 75 80 50
Admin. systeme - Sdv Plurimedia - <http://www.sdv.fr/>