Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Unauthenticated ZyXEL USG ZTP - Detect

By kannthu

High
Vidoc logoVidoc Module
#misconfig#unauth#zyxel#ztp#rce
Description

Unauthenticated ZyXEL USG ZTP - Detect

This module is designed to detect a misconfiguration in ZyXEL USG devices with ZTP (Zero Touch Provisioning) support. It specifically targets devices that have not applied the CVE-2023-28771 patch. The severity of this misconfiguration is high.

Impact

If the misconfiguration is detected, an attacker can exploit it to gain unauthorized access to the ZyXEL USG device. This can lead to various security risks, including unauthorized configuration changes, data leakage, and potential remote code execution.

How the module works?

The module sends a POST request to the "/ztp/cgi-bin/handler" endpoint of the ZyXEL USG device. The request includes a JSON payload with the command "ping" and the destination URL for the interaction. The module then checks for specific conditions to determine if the misconfiguration is present:

- The response must have a status code of 200. - The response body must contain the words "message" and "result". - The interaction protocol must not be DNS.

If all the conditions are met, the module reports the vulnerability.

Example HTTP request:

POST /ztp/cgi-bin/handler HTTP/1.1
Host: <Hostname>
Content-Type: application/json

{
  "command": "ping",
  "dest": "<InteractionURL>"
}

Note: It is important to apply the CVE-2023-28771 patch to mitigate the vulnerability and ensure the security of the ZyXEL USG device.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: dnsand
word: message, resultand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability