rwxr-xr-x 1 kali kali 106K Jun 5 05:49 timed rwxr-xr-x 1 kali kali 28K Jun 5 05:49 telnetd rwxr-xr-x 1 kali kali 249K Jun 5 05:49 ssh-keygen rwxr-xr-x 1 kali kali 631K Jun 5 05:49 sshd rwxr-xr-x 1 kali kali 19K Jun 5 05:49 snmptrap rwxr-xr-x 1 kali kali 31K Jun 5 05:49 snmpd rwxr-xr-x 1 kali kali 119K Jun 5 05:49 polld rwxr-xr-x 1 kali kali 687K Jun 5 05:49 openssl rwxr-xr-x 1 kali kali 63K Jun 5 05:49 msntp rwxr-xr-x 1 kali kali 115K Jun 5 05:49 ksid rwxr-xr-x 1 kali kali 110K Jun 5 05:49 initd rwxr-xr-x 1 kali kali 14K Jun 5 05:49 inetd rwxr-xr-x 1 kali kali 115K Jun 5 05:49 handler rwxr-xr-x 1 kali kali 1.9M Jun 5 05:49 diag rwxr-xr-x 1 kali kali 157K Jun 5 05:49 dhcpcd rwxr-xr-x 1 kali kali 191K Jun 5 05:49 dhcp6c rwxr-xr-x 1 kali kali 426K Jun 5 05:49 cli rwxr-xr-x 1 kali kali 223K Jun 5 05:49 boa rwxr-xr-x 1 kali kali 36K Jun 5 05:49 arp This contained the real binaries used by the device: $ ls -lh bin This resulted in a few files which appear to be Busybox related, nothing that would indicate this being a switch firmware yet, except for an sqfs.img file: $ binwalk sqfs.imgĠ 0x0 Squashfs filesystem, big endian, lzma signature, version 3.1, size: 4219154 bytes, 549 inodes, blocksize: 131072 bytes, created: 03:49:3
$ cpio -vid -no-absolute-filenames < GS.40\(AAHH.2\)C0.bix-part-0-vmlinux_org.bin-initramfs Next I extracted the initramfs.gz o Linux with GNU cpio as it required the -no-absolute-filenames flag: $ gunzip GS.40\(AAHH.2\)C0.bix-part-0-vmlinux_ Writing initramfs to: GS.40(AAHH.2)C0.bix-part-0-vmlinux_ Writing kernel to: GS.40(AAHH.2)C0.bix-part-0-vmlinux_org.bin-kernel Writing to: GS.40(AAHH.2)C0.bix-part-0.gzĭecompressing to: GS.40(AAHH.2)C0.bix-part-0-vmlinux_org.bin A quick search revealed the gs1900fw project which was used to extract the firmware: % python gs1900fw.py -w GS.40\(AAHH.2\)C0.bix -eĬhecking file magic: Expected 0x83800000, found 0x83800000 The firmware image I used was downloaded from the Zyxel support site or you can grab it from their FTP site.īinwalk had a hard time figuring out what was in the bix file however it did get a number of binaries extracted that were of enough interest to pursue further exploration of this image. The passwords for these hidden menus are hardcoded in the firmware.
ZYXEL FIRMWARE UPGRADE TOOL SERIAL
One is a password recovery menu only reachable via serial console and the other is diagnostic menu which is available via SSH. Secondly, there are two undocumented and password protected interfaces.
ZYXEL FIRMWARE UPGRADE TOOL FULL
“Unprivileged” users have full administrative privileges through SSH which also allows for obtaining encrypted credentials, which can then be trivially decrypted. Initially I wanted to write about poking around the firmware image and showing how one can use Ghidra to explore unknown binaries, but whilst looking around some libraries that are used by this switch I realised there is actually an interesting vulnerability to write about. All in all this has turned out to be an interesting exploration of both Ghidra and the GS.40(AAHH.2)C0.bix firmware image. While I have some experience with Hopper and radare2 I wanted to play with Ghidra to poke around the firmware for my Zyxel GS1900-8 switch which runs on a 32-bit MIPS CPU. Or, how I found multiple vulnerabilities on a lazy Sunday afternoon ⌗Įarlier this year the NSA released Ghidra, a reverse engineering suite with support for a large number of CPU/MCU instruction sets.
0 kommentar(er)
