Zyxel PMG5617 Command Injection

  • Thread starter Thread starter JB701
  • Start date Start date
  • Replies Replies 21
  • Views Views 8,944
JB701

JB701

🇵🇸🤝🇮🇳
Messages
2,391
Location
Kochi, KL
ISP
Airtel
I was messing around the diagnostics section of ZyXEL router and noticed that it was running ping and stuff on BusyBox. I tried some sequences to escape that nslookup command and run whatever I want, most of the operators like > < are blocked but a major one "&&" which is used to run next command after end of one command wasn't blocked.

lkwlf5.png


I was able to get access to the shell this way. It is also running as the root user! I will probably mess around this later (and hopefully not brick my router).

CGI Scripts present on the router:
Source

All the binaries and bash scripts present:
Source
 
The screenshot has gone missing in your post.
 
weird, here is the same
3.png


I got ftp access now, it was a bit tricky cuz redirection ops are not allowed but you can get around it by inserting whatever commands in a script, using wget to download the script, chmod 777 and running it.

edit: got the unencrypted config file its in \var\pdm

edit2: i was being kinda stupid you can enable telnet with "127.0.0.1 && telnetd -l /bin/sh -p 5856" in the diagnostics
 
Last edited:
What is your firmware? Seems like with the latest firmware this is patched and whats worse - I am no longer able to edit my WAN settings.
No more Bridge mode and IPv6 🙁
 
bootloaderVer=V1.01 | Nov 16 2021 13:54:11
version0=V100ACCU0b5
fw_version0=V100ACCU0b5

is firmwareUpgrade.cgi accessible?
 
@JB701 if you reset your router, the new firmware will be pushed.
The new firmware breaks a lot of things. For ex Network Settings > WAN you no longer see "modify"
So You can no longer enable ipv4/ipv6 dual stack
No longer enable PPPoE passthrough Mode
- This lets you have your router + a device in you LAN to get a PPP connection - > Both of them simultaneously giving you your plans speed so you can use a load balancing proxy to effectively get 2x speeds

I wish I didnt reset mine. Airtel technicians end their vocabulary at "firewall" when I am trying to get this sorted.

Could you backup the entire system since you have access to it? We should be able to inject our settings on updated firmwares too!
We can take this discussion elsewhere to prevent spam here.

ALso does it say D6 in the country code in the main router page?
Mine looks like this
Device Information
Country Code: IN
Host Name : admin
Model Name: PMG5617-R20B
MAC Address: <cleared>
Firmware Version: V100ACCU0b8
 

Such vulnerabilities shouldn't exist in 2023, but of course they do... 😂
I have seen some devices that block these operators in js, but you could just use an intercepting proxy to achieve command injection.. LOL

This one already might be well known, there are many ZyXEL CVEs that describe command injection, none go into the details so we never know, but at-least they are open about it and issue advisory.

The Nokia ONT does some weird "encryption" ( more like obfuscation ) stuff to make modifying requests harder, I might write a blog post on that 😀
 
I am trying to enable FTP on this router. But it's not working for me. Its showing the detected USB drive under "file sharing" option , I have enabled it , set up the credentials as well. but when I try to connect "ftp://192.168.1.1" its not displaying anything. "windows cannot access this folder. make sure you typed it correctly". Anyone know what do ? I am not a network guy.
 

Top