ZyXEL Gateways Vulnerability Research (Part 2)

Here is the second version of the ZyXEL routers penetration testing paper. This second part of the paper is also fully practical just like the first one. No theory whatsoever, but rather real juicy attacks which is what we pentesters/whitehats are interested in (after all we need to be aware of what the bad guys can do)!

Unlike the first part of the paper, this one focuses more on attack techniques rather than newly-discovered vulnerabilities. A significant percentage of the content is dedicated to methods that allow attackers extract all types of passwords stored in the target router. For instance, we discuss extracting the admin password from a proprietary-format/non-human-readable config file (thanks to Kender Arg for his help with this). We also show how to phish the admin password via _dynamic DNS poisoning_! We also discuss a geek project that allows you to turn the ZyXEL Prestige P-660HW-T1 into a wardriving tool without having to install any additional tools on the router by using an expect script.

There are many more goodies such as attack scripts. Some of them were created to attempt to compromise a ZyXEL Prestige router (i.e.: password cracker), while others would be used after the target router has been compromised (i.e.: ping-sweeping script). Keep in mind that the scripts were only tested on ZyXEL P-660HW-T1 and provided for demonstration purposes only. Most likely, such scripts need to be modified to work on other models, although I have the suspicion that the password cracker script will work on most ZyXEL Prestige routers and perhaps ZyXEL ZyWALL firewalls.

I believe (or at least hope) that password hackers/pentesters and researchers interested in embedded devices security will learn something from this paper and hopefully be inspired to do more research in this fascinating area which I believe will be huge in the future (embedded devices security that is). Even if you are not the owner of a ZyXEL router I still recommend you to take a look at the paper, as many of the attacks featured can be applied to just any embedded device out there.

Also remember that ZyXEL Prestige routers are fairly popular in continental Europe and Latin America where they're shipped by big ISPs such as Telefonica.

Archived Comments

Kender

Although such tool is a half-baked project and is a bit buggy

Heheh, you're right. I never seem to properly finish anything before something else comes along to catch my interest :) Nice paper though. Perhaps you could include a few simple points on how to prevent attacks on your device.

Ix

After reading this I have to ask, is there any particular reason why you used ZyXEL devices? Was it what was on hand or donated for testing? or are they much easier to break into than other routers and firewalls from other companies, therefore giving better coverage of all the possible vulnerabilities that could be found? I haven't had time to read the report yet and I somehow missed seeing the first one, so if the why is in either of them just ignore this question. Off to the archives to hunt down the first report now.

Adrian 'pagvac' Pastor

@Kender - as I said, the tool is more than enough to get the admin password which is what I was interested in anyway. Regarding protections, well, the first protection is NOT to use ZyXEL routers. If this is not an option for you, then you can check out the first part of the paper which talks about how to defend against these attacks. @lx - no reason. Just found some serious issues during a pentest, and then decided to purchase a few more to test them more in depth. btw, the first part of the paper was published on the 3rd party-site. Google is your friend ;)

Ix

Ahh, well that explains how and why I missed the first one, was wondering how I missed it and couldn't find it in the archive (I did stay up too late watching some movies with friends last night so I was thinking it might have been sleep dep messing with me). Thanks for the response. Off to google next time I have time to search and read.

Adrian 'pagvac' Pastor

@lx: We're always more than happy to answer any questions you guys might have regarding our research. Thanks a lot for your interest (I mean it)! You can find the 1st part of the paper here: http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf @Kender: have you considered adding more details to your reverse-engineering tutorial? I think the community would benefit a lot from it if you made it more complete: http://www.mindmasters.nl/kender/zyxel/