According to the firm SecuriTeam, multiple ZyXEL customized routers are affected by many vulnerabilities. The devices are distributed by the Thai IPS TrueOnline. The ZyXEL customized routers are offered for free to the customers with default settings, including default accounts and passwords, a gift for hackers.
The models are widespread, ZyXEL P660HN-T v1, ZyXEL P660HN-T v2, and Billion 5200W-T, the first of which since 2013.
“Several models are distributed by TrueOnline, three in particular are widespread:
These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server.” reads the security advisory published by SecuriTeam.
The vulnerabilities have been discovered by an independent security researcher, they include an unauthenticated remote command execution vulnerability in P660HN-T v1, an unauthenticated remote command execution and authenticated remote command execution flaws in Billion 5200W-T, and an unauthenticated remote command execution vulnerability in P660HN-T v2.
The P660HN-T v1 device is affected by a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log, the issue resides in the remote_host parameter on the ViewLog.asp page, which is accessible by an unauthenticated attacker.
The network device comes with the following default credentials:
An unauthenticated command injection is present in the adv_remotelog.asp file of the Billion 5200W-T router. An attacker can trigger the vulnerability in the syslogServerAddr parameter by entering a valid IP address followed by “;<COMMAND>;”.
The same device is affected by an authenticated command injections in the interface tools_time.asp with the uiViewSNTPServer parameter. Also in this case, the expert discovered the device includes the following default accounts:
The third device, the P660HN-T v2 router is affected by a remote command injection vulnerability that results from an authenticated command injection chained with a hardcoded supervisor password. The flaw resides in the logSet.asp file, while the hardcoded supervisor credentials are username: supervisor; password: zyad1234.
“The actual command that can be injected has a length limitation of 28 characters.” states the advisory. “
Default accounts – P660HN-T v2 router
The sad aspect of the story is that the researchers reported the vulnerabilities to ZyXEL in July, but the company still hasn’t issued any patched neither workaround.
Vulnerabilities in IoT devices, including home routers and SOHO devices, are particularly critic, because attackers can exploit them to compromise the equipment and recruit them in powerful “thingbot “such as the Mirai botnet.
(Security Affairs – ZyXEL customized routers, hacking)