The following advisory describes four (4) vulnerabilities and default accounts / passwords in ZyXEL / Billion customized routers.
TrueOnline is a major Internet Service Provider in Thailand that provides customized versions of routers to its customers, free of charge.
The routers are manufactured by ZyXEL and Billion runs a special Linux distribution called “tclinux”. Several models are distributed by TrueOnline, three in particular are widespread:
- ZyXEL P660HN-T v1 (distributed up to 2013)
- ZyXEL P660HN-T v2
- Billion 5200W-T (currently being distributed to new clients)
These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server. The routers are vulnerable via command injections in its web interface, which can be exploited by an unauthenticated as well as an authenticated attacker. Furthermore, the routers includes several hardcoded accounts besides the usual administrator account.
The four vulnerabilities found in ZyXEL / Billion routers:
- Unauthenticated remote command execution vulnerability – P660HN-T v1 router
- Unauthenticated remote command execution vulnerability – Billion 5200W-T
- Authenticated remote command execution vulnerability – Billion 5200W-T
- Unauthenticated remote command execution vulnerability – P660HN-T v2
Default accounts and passwords:
- Default accounts- P660HN-T v1 router
- Default accounts – P660HN-T v2
- Default accounts – Billion 5200W-T router
Pedro Ribeiro (firstname.lastname@example.org) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – ZyXEL / Billion Multiple Vulnerabilities
The following advisory describes three (3) vulnerabilities that allow to an attacker to gain unauthenticated remote code execution. EasyIO provides products for Building Energy Management Systems. Low costs, high energy savings.
The three vulnerabilities found in EasyIO include:
- Unauthenticated remote code execution
- Unauthenticated database file download
- Authenticated directory traversal vulnerability
The vulnerability affected the following products:
- EasyIO FG Series, FG32
- EasyIO FG Series, FG20
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – EasyIO Multiple Vulnerabilities
We have some few more days until the end of the year (2016) but it’s time to open the calendar and get ready for 2017(!).
We will try publish every quarter the main security conferences*
Continue reading Security conferences – Survival guide 2017 Q1
On the 1-2 December 2016 we had the honor for the first time to sponsor HITCON and visit Taiwan.
Our adventure started in November 30th when Noam and I landed in Taipei and we had half a day to sightseeing and set up our booth at the conference hall.
In the evening we were invited to Team T5 reception, there we saw some old friends and made some new ones. We talked about the the importance of the hacker community and how Beyond Security can support it in this era.
During the HITCON conference we had the opportunity to meet with so many great people, gave them an awesome T-shirts for free, answered their questions and provided them with information about the SSD program and how it can help them to more easily report vulnerabilities and get paid for them.
On the second day, Noam gave his lecture on “Why today’s security researchers cannot just publish vulnerabilities” and explained the problems currently present in the process of reporting vulnerabilities to vendors and why the current bug bounty programs are not offering the solution (the slides will upload soon by HITCON)
We found the whole conference experience to be amazing – it was privilege for us to be able to attend and sponsor HITCON 2016. Especially since it allowed us to be part of the ‘international’ community of security researchers.
One last thing, Noam and Yannay Livneh (a speaker of HITCON) had birthday during HITCON – Happy Birthday guys!