Vulnerabilities > CVE-1999-0571
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE network
low complexity
critical
nessus
Summary
A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.
Nessus
NASL family Misc. NASL id ZYXEL_PWD.NASL description The remote host is a ZyXEL router with a default password. An attacker could telnet to it and reconfigure it to lock the owner out and prevent him from using his Internet connection, or create a dial-in user to connect directly to the LAN attached to it. last seen 2020-06-01 modified 2020-06-02 plugin id 10714 published 2001-08-13 reporter This script is Copyright (C) 2001-2018 Giovanni Fiaschi source https://www.tenable.com/plugins/nessus/10714 title ZyXEL Router Default Telnet Password Present code # # # This script was written by Giovanni Fiaschi <[email protected]> # # See the Nessus Scripts License for details # Script audit and contributions from Carmichael Security # Erik Anderson <[email protected]> (nb: domain no longer exists) # Added BugtraqID. # # Changes by Tenable: # - Updated to use compat.inc (11/16/09) # - Changed formatting and removed French (3/26/2009) # - Revised title (12/22/2008) include("compat.inc"); if (description) { script_id(10714); script_version("1.30"); script_cvs_date("Date: 2018/08/07 16:46:51"); script_cve_id("CVE-1999-0571"); script_bugtraq_id(3161); script_name(english:"ZyXEL Router Default Telnet Password Present"); script_summary(english:"Logs into the ZyXEL router"); script_set_attribute(attribute:"synopsis", value: "The remote host is a router with its default password set."); script_set_attribute(attribute:"description", value: "The remote host is a ZyXEL router with a default password. An attacker could telnet to it and reconfigure it to lock the owner out and prevent him from using his Internet connection, or create a dial-in user to connect directly to the LAN attached to it."); script_set_attribute(attribute:"solution", value: "Telnet to this router and set a password immediately."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2001/08/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001-2018 Giovanni Fiaschi"); script_family(english:"Misc."); script_require_ports(23); exit(0); } port = 23; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { r = recv(socket:soc, length:8192); if ( "Password:" >!< r ) exit(0); s = string("1234\r\n"); send(socket:soc, data:s); r = recv(socket:soc, length:8192); close(soc); if("ZyXEL" >< r || "ZyWALL" >< r )security_hole(port:port, extra:'\nAfter logging in using the password "1234", Nessus read this :\n\n ' + r + '\n'); } }NASL family Misc. NASL id ZYXEL_HTTP_PWD.NASL description The remote host is a ZyXEL router with a default password set. An attacker could connect to the web interface and reconfigure it. last seen 2020-06-01 modified 2020-06-02 plugin id 17304 published 2005-03-10 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17304 title ZyXEL Routers Default Web Account code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17304); script_version("1.21"); script_cvs_date("Date: 2018/08/07 16:46:51"); script_bugtraq_id(6671); script_cve_id("CVE-2001-1135", "CVE-1999-0571"); script_name(english:"ZyXEL Routers Default Web Account"); script_summary(english:"Logs into the ZyXEL web administration"); script_set_attribute(attribute:"synopsis", value:"The remote host is a router that uses a default web password."); script_set_attribute(attribute:"description", value: "The remote host is a ZyXEL router with a default password set. An attacker could connect to the web interface and reconfigure it."); script_set_attribute(attribute:"solution", value:"Change the password immediately."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("http_version.nasl"); script_exclude_keys("global_settings/supplied_logins_only"); script_require_ports(80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); port = get_http_port(default:80, embedded: 1); # if ( ! port || port != 80 ) exit(0); banner = get_http_banner(port:port); if ( "ZyXEL-RomPager" >!< banner ) exit(0, "The web server listening on port "+port+" does not look like a ZyXEL web interface."); r = http_send_recv3(port: port, method: "GET", item: "/", username: "", password: "", exit_on_fail:TRUE); if (r[0] !~ "^HTTP/1\.[01] +401 ") exit(0, "The ZyXEL web interface listening on port "+port+" does not require credentials."); r = http_send_recv3(method: "GET", port: port, item: "/", username: "admin", password: "1234", exit_on_fail:TRUE); if (r[0] =~ "^HTTP/1\.[01] +200 ") { security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "ZyXEL web interface", port);