Cross-site request forgery (CSRF) vulnerability on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 allows remote attackers to hijack the authentication of arbitrary users.
ZyXEL NBG-418N routers with firmware 1.00(AADZ.3)C0 are vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to remotely hijack user authentication. This vulnerability enables attackers to execute unauthorized actions on the router, potentially leading to complete system compromise and network control.
Step 1: Victim Interaction: The attacker crafts a malicious web page or email containing a hidden HTML form or JavaScript code. This code is designed to send a specific request to the vulnerable ZyXEL router's web interface.
Step 2: Request Crafting: The malicious code constructs a request that, when sent to the router, will perform a privileged action (e.g., changing the administrator password, enabling remote access, or modifying DNS settings). This request is crafted to appear as if it originates from the router's legitimate web interface.
Step 3: Victim Login: The victim is already logged into the ZyXEL router's web interface (or has previously authenticated and their session is still active). This is a prerequisite for the attack to succeed.
Step 4: Request Execution: The victim visits the attacker's malicious web page or opens the malicious email. The hidden form or JavaScript code automatically submits the crafted request to the router. The browser sends the request to the router, including the victim's authentication cookies.
Step 5: Router Processing: Because the router lacks CSRF protection, it processes the malicious request as if it originated from the legitimate user. The requested action is performed on the router, effectively allowing the attacker to control the router's configuration.
Step 6: Attack Completion: The attacker successfully alters the router's settings, potentially gaining full control over the network or intercepting network traffic.
The root cause of CVE-2015-7284 is the lack of CSRF protection in the web interface of the ZyXEL NBG-418N router. Specifically, the web application does not implement proper validation of the origin of requests. This means that requests originating from a different domain can be successfully processed by the router. The flaw lies in the absence of CSRF tokens or other mechanisms to verify the authenticity of the request's origin. This allows an attacker to craft malicious requests that, when executed by a logged-in user, will perform actions on the router on behalf of that user. The attacker can manipulate the router's configuration, potentially changing DNS settings, enabling remote access, or even installing malicious firmware. The vulnerability is exacerbated by the fact that many users may not change the default credentials, making it easier for attackers to gain access.