Source: cret@cert.org
Multiple cross-site scripting (XSS) vulnerabilities in Forms/rpAuth_1 on ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0) allow remote attackers to inject arbitrary web script or HTML via the (1) LoginPassword or (2) hiddenPassword parameter.
Critical vulnerability exists in ZyXEL P-660HW-T1 2 routers running ZyNOS firmware 3.40(AXH.0), allowing remote attackers to inject malicious scripts via cross-site scripting (XSS). Successful exploitation can lead to account compromise, data theft, and potential network control, impacting confidentiality, integrity, and availability.
Step 1: Payload Delivery: An attacker crafts a malicious payload containing JavaScript or HTML code. This payload is designed to perform actions like stealing cookies, redirecting users, or defacing the web interface.
Step 2: Payload Injection: The attacker submits the crafted payload within the LoginPassword or hiddenPassword parameter of a POST request to the Forms/rpAuth_1 page. This request is sent to the vulnerable ZyXEL router.
Step 3: Payload Storage: The router's web server stores the malicious payload, likely within a configuration file or database associated with the authentication process.
Step 4: Victim Interaction: When a legitimate user accesses the web interface of the router (e.g., to manage settings), the stored payload is retrieved and rendered in the user's browser.
Step 5: Payload Execution: The victim's browser executes the injected JavaScript or HTML code, allowing the attacker to perform actions on behalf of the user.
The vulnerability stems from insufficient input validation and output encoding within the Forms/rpAuth_1 component of the ZyNOS firmware. Specifically, the LoginPassword and hiddenPassword parameters are vulnerable. The application fails to properly sanitize user-supplied input before rendering it in the HTML response. This allows attackers to inject arbitrary JavaScript or HTML code, which is then executed by the victim's web browser. The root cause is a lack of input validation and output encoding (e.g., escaping special characters like < and >) when handling user-provided password data. This leads to a stored XSS vulnerability, as the malicious script is stored on the server and served to all users who access the affected page.
There is no specific APT or malware directly linked to this CVE. However, the nature of the vulnerability (XSS) makes it a potential tool for various attackers. This vulnerability is not listed on the CISA KEV catalog.
Monitor network traffic for suspicious POST requests to Forms/rpAuth_1 with unusual characters or JavaScript code in the LoginPassword or hiddenPassword parameters.
Analyze web server logs for requests containing potentially malicious payloads, looking for patterns like <script> tags or HTML entities.
Implement a web application firewall (WAF) to filter out malicious XSS payloads.
Perform regular vulnerability scans using tools that can identify XSS vulnerabilities.
Monitor router configuration files for unexpected changes or the presence of injected scripts.
Upgrade the ZyNOS firmware to a patched version that addresses the XSS vulnerability. Check the vendor's website for available updates.
Implement input validation to sanitize user-supplied data, ensuring that special characters are properly escaped before being stored or displayed.
Implement output encoding to encode data before it is rendered in HTML, preventing the execution of malicious scripts.
Use a Content Security Policy (CSP) to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.
Disable the web interface if it is not required for the router's functionality.
Consider replacing the vulnerable device with a more secure alternative.