This paper is the result of various security assessments performed on
several ZyXEL Prestige devices in both, a controlled environment
(computer lab) and production environments during several penetration tests.
There are two types of attacks featured in this paper which we believe
might be potentially new:
Additionally, the paper is full of other goodies such as:
Privilege escalation: it allows retrieving administrative settings
(i.e.: WEP key, ISP and dynamic DNS credentials) and also altering such
settings
SNMP read and SNMP write access enabled by default: not only we
demonstrate how to change settings but we also show how to obtain the
credentials for the Dynamic DNS service in cleartext
Poor session management allows hijacking of admin sessions
Authentication vulnerable to replay and password cracking attacks
Disclosure of credentials: several types of credentials travel in the
clear when being submitted by the user, and also when being returned
from the web interface back to the browser