Zyxel AMG1302-T10B Path Traversal Vulnerability in Web Management Interface

A path traversal vulnerability has been identified in the web management interface of the Zyxel AMG1302-T10B router, specifically in firmware version 2.00(AAJC.16)C0. This vulnerability allows an authenticated attacker with administrator privileges to access restricted directories by sending a crafted HTTP request. The issue arises in the function responsible for processing the SESSIONID parameter, where input validation is lacking, enabling directory traversal exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized access to restricted directories, allowing for file creation or access outside the intended directory structure. Notably, a proof-of-concept attack could write a 0-byte file to the '/etc' directory, taking advantage of a symbolic link to the writable '/tmp/etc' directory on the device.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the '/cgi-bin/pages/maintenance/userAccount/userAccount.html' endpoint. The request must include a 'Cookie' header with a 'SESSIONID' value that traverses the directory structure, such as '../../etc/test.php'. This will create a file named 'test.php' in a location outside of the '/var/tmp/' directory.