View Single Post
Old 03-12-2014, 04:54 PM   #3
Supremacy Member
hlots123's Avatar
Join Date: Apr 2006
Posts: 5,086
background info abt rom-0 vulnerability...
PIOTRBANIA.COM :: Hacking and patching TP-LINK TD-W8901G router
How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure ) | Root@Nasro
Attackers alter DNS configurations remotely, compromise 300K routers - SC Magazine

The attack is made possible due to default SOHO settings that are vulnerable to password guessing, as well as brute force log-on attempts because the graphical user interface was accessible from the internet, according to the report, which adds that compromise via Cross-Site Request Forgery may also be possible.

“A considerable number of the remotely accessible devices also appeared vulnerable to the “ROM-0” vulnerability published in early January,” according to the report. “This vulnerability in ZyXEL's ZynOS allows attackers to download the router's configuration file from the unauthenticated GUI URL http://[IP address]/rom-0.”
Me: Is the page password protected ?
Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !
Ok, enough questions haha ..

Now, when I activated TamperData and clicked “ROMFILE SAVE” I’ve found out that the rom-0 file is located on “IP/rom-0″ and the directory isn’t password protected or anything.
When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .
Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network
hlots123 is offline   Reply With Quote