16 June 2014

How to fix ZynOS vulnerability & prevent rom-0 access

This is an easy way to fix your router against rom-0 vulnerability. it can be applied to ZyNOS routers. I applied this solution to TP-Link TD-W8961ND router. it could be applied to the following list too:
  • TD-W8901G
  • TD-8816
  • TD-W8951ND
  • ZTE ZXV10 W300
rom-0 vulnerability was discovered by MrNasro. he suggested a solution but I think it is not applicable for the most devices as they don't provide a web interface to change this settings. another person (Piotr Bania) came with a different way to solve it. however it is almost impossible to apply as it requires (smart people only :) from you to open the router's case & to start reverse engineering the router's memory.

This vulnerability arise from the default settings of the firmware & it doesn't provide a way to change these settings from the web interface. luckily, the firmware does provide another access method to change the router's settings but it's not mentioned in the user manual. the second access method is the CLI which can be accomplished by using Putty or Telnet. here I used telnet from Windows. now you go with the following steps to prevent the flaw.

  • first you need to reset the router to factory default settings by pressing the reset button. you need to do this to ensure safe configuration for your router
  • go to the web interface of your router which can be accessed from & update your router setting with your ISP information
  • under maintenance change the default password from admin to anything you want & don't forget it as you will need it later on.
  • open cmd & type the following commands line by line
1 >telnet
2 Password: <type your router password>
3 Copyright (c) 2001 - 2011 TP-LINK TECHNOLOGIES CO., LTD.
4 TP-LINK> sys server load
5 TP-LINK> sys server access ftp 1
6 TP-LINK> sys server access web 1
7 TP-LINK> sys server access icmp 1
8 TP-LINK> sys server access tftp 1
9 TP-LINK> sys server access snmp 1
9 TP-LINK> sys server access telnet 2
10 TP-LINK> sys server save
11 sys server: save ok

that's all you need & now your router is safe from rom-0 attack.

CWE ID     255