Vulnerabilities > CVE-2001-1135 - Unspecified vulnerability in Zyxel Prestige 642R

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
zyxel
nessus
NVD
Published: 2001-08-14
Updated: 2017-12-19

Summary

ZyXEL Prestige 642R and 642R-I routers do not filter the routers' Telnet and FTP ports on the external WAN interface from inside access, allowing someone on an internal computer to reconfigure the router, if the password is known.

Vulnerable Configurations

Part Description Count
Hardware
Zyxel
1

Nessus

NASL familyMisc.
NASL idZYXEL_HTTP_PWD.NASL
descriptionThe remote host is a ZyXEL router with a default password set. An attacker could connect to the web interface and reconfigure it.
last seen2020-06-01
modified2020-06-02
plugin id17304
published2005-03-10
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/17304
titleZyXEL Routers Default Web Account
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(17304);
  script_version("1.21");
  script_cvs_date("Date: 2018/08/07 16:46:51");
  script_bugtraq_id(6671);

  script_cve_id("CVE-2001-1135", "CVE-1999-0571");

  script_name(english:"ZyXEL Routers Default Web Account");
  script_summary(english:"Logs into the ZyXEL web administration");

  script_set_attribute(attribute:"synopsis", value:"The remote host is a router that uses a default web password.");
  script_set_attribute(attribute:"description", value:
"The remote host is a ZyXEL router with a default password set.  An
attacker could connect to the web interface and reconfigure it.");
  script_set_attribute(attribute:"solution", value:"Change the password immediately.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_family(english:"Misc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports(80);
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

port = get_http_port(default:80, embedded: 1);
# if ( ! port || port != 80 ) exit(0);

banner = get_http_banner(port:port);
if ( "ZyXEL-RomPager" >!< banner ) exit(0, "The web server listening on port "+port+" does not look like a ZyXEL web interface.");

r = http_send_recv3(port: port, method: "GET", item: "/", username: "", password: "", exit_on_fail:TRUE);
if (r[0] !~ "^HTTP/1\.[01] +401 ") exit(0, "The ZyXEL web interface listening on port "+port+" does not require credentials.");

r = http_send_recv3(method: "GET", port: port, item: "/", username: "admin", password: "1234", exit_on_fail:TRUE);

if (r[0] =~ "^HTTP/1\.[01] +200 ")
{
  security_hole(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "ZyXEL web interface", port);

References