% Zyxel: Include unencrypted supervisor password in configuration backup files
% Tj <hacker@iam.tj>
% 2017-08-01

For Zyxel routers such as the VMG8924 and owners who want access to the unencrypted supervisor password without having to use cracking tools.

This modified executable of `/bin/zycfgfilter` allows the unencrypted passwords of the supervisor, admin, and other users to be exported via the regular administration web interface (**Maintenance > Configuration > Backup Configuration**).

## Decoding the configuration file entries

The entries in the `configuration-backupsettings.conf` file will only be Base64 encoded and will look similar to this:

    <AdminPassword>_ZEncrypted_MzBlZWM4Y2YA</AdminPassword>
    <UserName>admin</UserName>
    <Password>_ZEncrypted_MTIzNAA=</Password>

To decode them strip the leading "\_ZEncrypted\_":

    # supervisor (a.k.a. root - UID = 0) for device serial # 31005832
    echo MzBlZWM4Y2YA | base64 -d
    30eec8cf

    # 'admin' default
    echo MTIzNAA= | base64 -d
    1234

## How it works

The only difference in the modified `zycfgfilter` is that all the strings within the executable that refer to the XML nodes that store passwords had the Upper Case "P" of "Password" converted to a lower case "p". This means the filter fails to match the entries fed to it from `dumpmdm` and so only does base64 encoding of the passwords. 

The reason this works is `zycfgfilter` is called by the httpd service to filter out sensitive entries that the `dumpmdm` tool (available in the router's CLI) outputs.

The original file is at 

    /bin/zycfgfilter

That cannot be over-written because it is in a read-only file system. But the shell PATH variable has other directories listed before `/bin/` where the modified file can be put, meaning it'll be executed instead of the system file. In this case the directory (which doesn't exist by default) to use is "`/home/bin/`"

## Router Shell Hack

The original ***trick*** I discovered back in 2014 to execute shell commands from the terminal CLI:

    > cat& bash

has been closed off in recent firmware upgrades, so there's another way to execute commands. It's a bit more convoluted and less than ideal but it's enough to do emergency hacking. This new method is to create a sub-shell with $(...) to execute a single command. E.g:

    > echo $(uname -a)
    Linux (none) 2.6.30 #3 SMP PREEMPT Thu May 25 18:09:29 CST 2017 mips GNU/Linux

## Installation

To install on a Zyxel router (e.g. VMG8924) do, from a PC:

    # set router IP
    RIP=10.254.1.254

    # Either:

    ssh admin@$RIP

    # Or:

    telnet $RIP
    # login: admin

    > echo $(mkdir /home/bin)
    > echo $(wget http://iam.tj/projects/zyxel/zycfgfilter -O /home/bin/zycfgfilter) 
    Connecting to iam.tj (109.74.197.122:80)
    zycfgfilter            0% |                                                 |     0  --:--:-- ETAEOMTime:1501717911.174968 2017-08-02T23:51:51.174968
    zycfgfilter          100% |*************************************************| 66604  --:--:-- ETA
    200 OK, File Get Success

    > echo $(ls -l /home/bin) 
    -rwxr-xr-x 1 supervis root 66604 Aug 2 23:17 zycfgfilter
 

Now use the web interface to backup the configuration file to the PC and it will contain the passwords with the base64 encoding.

## Do It Yourself

If you don't trust my modifications - although they are only conversions of "P" to "p" in several occurances of "Password" - then do it yourself by copying and modifying the file.

## Verify Digital Signature and No Tampering

The SHA of the modified file is:

    shasum zycfgfilter
    9aa2a0b54c258b7d67a075db9ddc9f77f110c064  zycfgfilter

This is in the `SHASUMS` file. I've signed that file using GNU Privacy Guard (gpg) and the detached signature is `SHASUMS.gpg`. Both these files are in the same directory as `zycfgfilter` at:

[https://iam.tj/projects/zyxel/](https://iam.tj/projects/zyxel/)

My public key ID is <hacker@iam.tj> and the fingerprint is:

    2C9A BEB5 03E2 285A 6A5B  8A91 EFEC 37A4 29CD 6080

To add my public key to your keyring using its fingerprint:

    gpg --keyserver keyserver.ubuntu.com --recv 0x2C9ABEB503E2285A6A5B8A91EFEC37A429CD6080

Once you've imported my public key to your keyring verify the SHASUMS file hasn't been tampered with:

    gpg2 --verify SHASUMS.gpg SHASUMS 
    gpg: Signature made Thu 03 Aug 2017 01:11:19 BST using RSA key ID 9ACC1423
    gpg: Good signature from "TJ <tj@iam.tj>" [ultimate]
    ....

and then check the file(s) you've downloaded matches:

    shasum -c SHASUMS
    zycfgfilter: OK
    README.html: OK
    README.md: OK

## Comments

Any comments please direct to the forum thread at:

[http://forum.kitz.co.uk/index.php/topic,20067.0.html](http://forum.kitz.co.uk/index.php/topic,20067.0.html)

-----
This document created using:

    pandoc --toc -s -t html5 -o README.html README.md