16 June 2014

How to fix ZynOS vulnerability & prevent rom-0 access

This is an easy way to fix your router against rom-0 vulnerability. it can be applied to ZyNOS routers. I applied this solution to TP-Link TD-W8961ND router. it could be applied to the following list too:
  • TD-W8901G
  • TD-8816
  • TD-W8951ND
  • ZTE ZXV10 W300
rom-0 vulnerability was discovered by MrNasro. he suggested a solution but I think it is not applicable for the most devices as they don't provide a web interface to change this settings. another person (Piotr Bania) came with a different way to solve it. however it is almost impossible to apply as it requires (smart people only :) from you to open the router's case & to start reverse engineering the router's memory.

This vulnerability arise from the default settings of the firmware & it doesn't provide a way to change these settings from the web interface. luckily, the firmware does provide another access method to change the router's settings but it's not mentioned in the user manual. the second access method is the CLI which can be accomplished by using Putty or Telnet. here I used telnet from Windows. now you go with the following steps to prevent the flaw.

  • first you need to reset the router to factory default settings by pressing the reset button. you need to do this to ensure safe configuration for your router
  • go to the web interface of your router which can be accessed from 192.168.1.1 & update your router setting with your ISP information
  • under maintenance change the default password from admin to anything you want & don't forget it as you will need it later on.
  • open cmd & type the following commands line by line
1 >telnet 192.168.1.1
2 Password: <type your router password>
3 Copyright (c) 2001 - 2011 TP-LINK TECHNOLOGIES CO., LTD.
4 TP-LINK> sys server load
5 TP-LINK> sys server access ftp 1
6 TP-LINK> sys server access web 1
7 TP-LINK> sys server access icmp 1
8 TP-LINK> sys server access tftp 1
9 TP-LINK> sys server access snmp 1
9 TP-LINK> sys server access telnet 2
10 TP-LINK> sys server save
11 sys server: save ok


that's all you need & now your router is safe from rom-0 attack.

CVE-2013-2579
CWE ID     255

15 comments:

  1. Replies
    1. sys server access web 2
      sys server save

      Delete
    2. Never mind. I did sys server access web 2 ,sys server save as mentioned above and now it's working. Thanks again!

      Delete
    3. "sys server load" before all

      sys server load
      sys server access web 2
      sys server save

      All done :)

      Delete
  2. Hello.
    I did the telent commands without resetting the modem at first (w8901g) and now I can't access router by typing its ip (192.168.1.1). Can you tell me what I should do to access the router? Thanks. I'm affraid if I reset the modem, then I can't access the router to reconfigure it to connect to internet. Sorry for my english.

    ReplyDelete
    Replies
    1. resetting your router is no problem however it will be vulnerable.

      Delete
  3. I got the same problem. But i fix it doing

    sys server load
    sys server access web 2
    sys server save

    Above, Max says this commands "undo" the rom-0 fix, but my intivirus stop reporting network vulnerability anyway. I think that the "sys server access snmp 1" is the important fix here.

    ReplyDelete
    Replies
    1. when you set access to
      - 1 means no access
      - 2 means access via lan
      - 3 means access via wan (which could be very dangerous and almost home users don't need it)

      Delete
    2. Hi Max - if I want external hacker to have no access to rom-0 file or the tplink admin page but still be able to do 192.168.1.1 internally, does web access via lan setting suffice and work?
      => sys server access web 2


      Delete
    3. @Nitin
      The answer is yes.

      Delete
  4. what about smartphone ?? is this methode works for navgation with smatphones ?

    ReplyDelete
    Replies
    1. this is not related to any smart-phones security issues. this is an explanation of how to fix the exposure of ZynOS which is mostly used by residential modems.

      Delete
  5. what this commands do exactly to router ? I mean those commands stop hacker for downloading Rom-O ? I just want u to explain me what each of this commands do. Thank you

    ReplyDelete