ZyXel WAP3205 Cross Site Scripting
Posted on 26 January 2016
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 #Vendor: ZyXel WAP3205 - version 1 (Product is EOL and no patch forthcoming) #Firmware version: V1.00(BFR.6) - V1.00(BFR.8)C0 #Exploit Author: Nicholas Lehman @GraphX #Vulnerability: Multiple persistent and reflected XSS vulnerabilities Description: Multiple persistent XSS Vulnerabilities have been discovered in the ZyXel WAP3205 (version 1) wireless access point. These vulnerabilities could allow and authenticated attacker to insert persistent malicious code on several pages and using several different fields. The WAP is End-Of-Life according to the vendor and will not be issuing a patch for these vulnerabilities. Proof of Concept: The first vulnerability discovered pertained to the inputs found on - - -http://<ROUTER_IP>/local/advance/main_maintenance_frame.html the domain_name and system_name inputs are vulnerable to reflected cross-site scripting and there does not appear to be any validation or sanitation of those inputs. the admin_inactivity_time input is vulnerable to persistent XSS with the following code being used: admin_inactivity_timer=0"><script>alert(document.cookie)</script><input - - -The date and time tab is also vulnerable to persistent cross site scripting. The following inputs allow for malicious code to be stored and executed: NTPServerIP servertype timedatatype 3. Solution: ZyXel was informed of the vulnerability, but since the router is end of life, a patch will not be released. Upgrade to a supported WAP -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWo8HaAAoJEGoTpzhfiAPxZFYP/iMGT7oGqHxLtw5rGVk0t5my ZxKD/ho84OhtHP6d1d4mVcKOmVGPMRLCR7V62m6G9iluzTx08uhAooXzdGPfua9I WXY+bIyj/3w5ydYJRd6gfR3/BwBHQKiMb06Iwsm2KivZNLYTFZ1mThXcn/dpgopL BRjLxpVaMOAVEaVgHEcm0B59uaIFT2jBSHfi3MZMYSlkoEGTCs+UaJ3qxMbmxYC9 06Zg8+pQs17AOdaBhSRb/vfeBRuLjbSsNZwI2XrDd5rj6+J3z34VasAnStgcd/uV 5cSIN7AAlfi3sg7BE+3hUZxK8p0KL2vKsm1/FOzAXs9H5/x51vLeJ0zbS4f57wIC x8lfkEu5GnK2jD2f0IeHrtnesXnIsBAB5THYxrqIfXJI0QpJZk0Dt3NL/uy2x4II gX8mnqJdci8o58oB4EG3RoYjKNpbbKGmF2JO1Gvgu9COmxMiYhTi9/HUW+SUizne zDjSeYLRn+VwuG4b77Rv+DH32ue93ujuIIMI+0zRzbpVo0kTr8P772LDn/Ypc5PP QtDC9A3OHqMOlrURgEEOU4uoB7rEH/aFqmuqEmdjdAVqRJ9xHINtChCIuNCFR9S1 wGluQ2HQ58eOZZK2GCUep57bgaFHSzm5mi0uHd27h6J40wVTiErZfJM5SW8z/rI1 JVy7N1+3MESCr8pW/Cgo =sI1p -----END PGP SIGNATURE-----
