gasrathebig.blogg.se - Zyxel firmware upgrade tool

#Zyxel firmware upgrade tool update

The web interface even makes it easy to change the base path outside of the /mnt folder (where the USB drive is also mounted). Luckily the device supports another way of sharing files, albeit read-only: UPnP/DLNA. As it turns out, there is a process called fwwatcher that looks for any file placed in this folder and tries to apply it as a configuration file or firmware upgrade.Īt least now we have a way to perform a firmware upgrade! DLNA / UPnP The latter appears to be a place to put firmware upgrade files. Sadly, symlinks to folders and files outside of this /home/admin are ignored.īesides the USB mount points, /home/admin contains two folders: data/ and fw/. The folders visible through SMB are either /home/admin or /home/admin/usbX_sdaX (depending on the USB port and partition). From a quick test, at least FAT32, NTFS and ext2 are supported. The device has a built-in Samba server which can serve files from attached USB drives.

A list of enabled and disabled services, containing not just the “HTTP(s)” and “PING” services visible in the web interface, but also “SSH”, “FTP”, “TELNET”, and “SNMP”.

Properties of our admin user and its group, including privilege-related informaton, which is encrypted.

This large file contains everything 2 that’s configurable through the web-interface, and some more: Web interface Backup/Restore pageĬlicking “Backup” results in a JSON file called Backup_Restore containing the current router configuration. This feature will turn out to be essential in getting a foothold in this device. The most interesting page is the “Backup / Restore” page.

No firmware image is available on the manufacturer website, in contrast to some of their other models.

Other initial observations about this device:

There is a “Remote Management” section, but it basically only allows toggling HTTP(S) access.

After digging through the Javascript, it appears that this feature was hidden and/or disabled.

There is no firmware upgrade mechanism present.

It is needlessly complex with a large client-side blob of Javascript performing all kinds of processing, including storing the privilege level ( medium) in a localStorage variable (yes, you can set it to high to expose more settings), and using some form of homebrew application-layer cryptography in all its asynchronous requests (with the key in localStorage!).The default admin user is actually the lowest privilege user.

Web interface status pageĪfter poking around in its modern Vue-based interface for a bit, I made the following observations: An innocent DDNS configuration setting can be used as a decryption oracle.īy default, the device does not expose any interesting services besides the web interface.A local subnet can be set as the remote management IP whitelist through the configuration backup file, enabling (local) SSH access.Even though they’re hidden in the web UI, SSH and other services can be enabled by setting a few fields in the configuration backup file.The DLNA server is running as root and follows symlinks.TL DR: using these four simple tricks you can get a root shell on your Zyxel VMG8825-T50 router: This post details my steps towards getting a root shell on this device through software-only means 1. Sadly, some of them are locked down behind a somewhat restrictive web interface. It seems to be a relatively new gigabit router with all kinds of capabilities. My ISP recently provided me with a new router, the Zyxel VMG8825-T50. In a later post I detail a different vulnerability, which has also been fixed.

#Zyxel firmware upgrade tool update

Update (December 2020): Several of the vulnerabilities mentioned in the post below have since been patched by Zyxel.