-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

#Vendor: ZyXel WAP3205 - version 1  (Product is EOL  and no patch
forthcoming)
#Firmware version: V1.00(BFR.6) - V1.00(BFR.8)C0
#Exploit Author: Nicholas Lehman @GraphX
#Vulnerability: Multiple persistent and reflected XSS vulnerabilities

Description:
Multiple persistent XSS Vulnerabilities have been discovered in the ZyXel
WAP3205 (version 1) wireless access point.  These vulnerabilities could
allow and  authenticated attacker to insert persistent malicious code on
several pages and using several different fields.  The WAP is End-Of-Life
according to the vendor and will not be issuing a patch for these
vulnerabilities.

Proof of Concept:
The first vulnerability discovered pertained to the inputs found on


- - -http://<ROUTER_IP>/local/advance/main_maintenance_frame.html
the domain_name and system_name inputs are vulnerable to reflected
cross-site scripting and there does not appear to be any validation or
sanitation of those inputs. the admin_inactivity_time input is vulnerable
to persistent XSS with the following code being used:
admin_inactivity_timer=0"><script>alert(document.cookie)</script><input

- - -The date and time tab is also vulnerable to persistent cross site
scripting.  The following inputs allow for malicious code to be stored and
executed:
NTPServerIP
servertype
timedatatype

3. Solution:
ZyXel was informed of the vulnerability, but since the router is end of
life,  a patch will not be released.
Upgrade to a supported WAP
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWo8HaAAoJEGoTpzhfiAPxZFYP/iMGT7oGqHxLtw5rGVk0t5my
ZxKD/ho84OhtHP6d1d4mVcKOmVGPMRLCR7V62m6G9iluzTx08uhAooXzdGPfua9I
WXY+bIyj/3w5ydYJRd6gfR3/BwBHQKiMb06Iwsm2KivZNLYTFZ1mThXcn/dpgopL
BRjLxpVaMOAVEaVgHEcm0B59uaIFT2jBSHfi3MZMYSlkoEGTCs+UaJ3qxMbmxYC9
06Zg8+pQs17AOdaBhSRb/vfeBRuLjbSsNZwI2XrDd5rj6+J3z34VasAnStgcd/uV
5cSIN7AAlfi3sg7BE+3hUZxK8p0KL2vKsm1/FOzAXs9H5/x51vLeJ0zbS4f57wIC
x8lfkEu5GnK2jD2f0IeHrtnesXnIsBAB5THYxrqIfXJI0QpJZk0Dt3NL/uy2x4II
gX8mnqJdci8o58oB4EG3RoYjKNpbbKGmF2JO1Gvgu9COmxMiYhTi9/HUW+SUizne
zDjSeYLRn+VwuG4b77Rv+DH32ue93ujuIIMI+0zRzbpVo0kTr8P772LDn/Ypc5PP
QtDC9A3OHqMOlrURgEEOU4uoB7rEH/aFqmuqEmdjdAVqRJ9xHINtChCIuNCFR9S1
wGluQ2HQ58eOZZK2GCUep57bgaFHSzm5mi0uHd27h6J40wVTiErZfJM5SW8z/rI1
JVy7N1+3MESCr8pW/Cgo
=sI1p
-----END PGP SIGNATURE-----