Zyxel PMG5617 Command Injection

[JB701]

I was messing around the diagnostics section of ZyXEL router and noticed that it was running ping and stuff on BusyBox. I tried some sequences to escape that nslookup command and run whatever I want, most of the operators like > < are blocked but a major one "&&" which is used to run next command after end of one command wasn't blocked.

I was able to get access to the shell this way. It is also running as the root user! I will probably mess around this later (and hopefully not brick my router).

CGI Scripts present on the router:

All the binaries and bash scripts present:

 

[rajil.s]

The screenshot has gone missing in your post.

 

[JB701]

weird, here is the same

I got ftp access now, it was a bit tricky cuz redirection ops are not allowed but you can get around it by inserting whatever commands in a script, using wget to download the script, chmod 777 and running it.

edit: got the unencrypted config file its in \var\pdm

edit2: i was being kinda stupid you can enable telnet with "127.0.0.1 && telnetd -l /bin/sh -p 5856" in the diagnostics

 

[bbforumstalker]

What is your firmware? Seems like with the latest firmware this is patched and whats worse - I am no longer able to edit my WAN settings.
No more Bridge mode and IPv6

 

[JB701]

bootloaderVer=V1.01 | Nov 16 2021 13:54:11
version0=V100ACCU0b5
fw_version0=V100ACCU0b5

is firmwareUpgrade.cgi accessible?

 

[bbforumstalker]

@JB701 if you reset your router, the new firmware will be pushed.
The new firmware breaks a lot of things. For ex Network Settings > WAN you no longer see "modify"
So You can no longer enable ipv4/ipv6 dual stack
No longer enable PPPoE passthrough Mode
- This lets you have your router + a device in you LAN to get a PPP connection - > Both of them simultaneously giving you your plans speed so you can use a load balancing proxy to effectively get 2x speeds

I wish I didnt reset mine. Airtel technicians end their vocabulary at "firewall" when I am trying to get this sorted.

Could you backup the entire system since you have access to it? We should be able to inject our settings on updated firmwares too!
We can take this discussion elsewhere to prevent spam here.

ALso does it say D6 in the country code in the main router page?
Mine looks like this

Device Information
Country Code:	IN
Host Name :	admin
Model Name:	PMG5617-R20B
MAC Address:	<cleared>
Firmware Version:	V100ACCU0b8

 

---

[potatoKun]

@bbforumstalker @JB701 I too did a router reset, and now stuck with unconfigurable router. Did you find a way to do something about it?

 

[JB701]

i have found another vulnerability but I'm not going to mention it here as it could get patched. im all for security and all but i hate the isps who lock down routers. the stock model of ZyXEL has way more options.

message me on telegram: @maya22011 and ill give it.

 

[albonycal]

Such vulnerabilities shouldn't exist in 2023, but of course they do... 😂
I have seen some devices that block these operators in js, but you could just use an intercepting proxy to achieve command injection.. LOL

This one already might be well known, there are many ZyXEL CVEs that describe command injection, none go into the details so we never know, but at-least they are open about it and issue advisory.

The Nokia ONT does some weird "encryption" ( more like obfuscation ) stuff to make modifying requests harder, I might write a blog post on that