In the PDF documents distributed with the firmware, however, a recovery method is described in the event that the upgrade procedure is unsuccessful.Ī lower level procedure is also available in case the previously described method does not work:
Searching online we were unable to find any information on the passwords used by Zyxel. Unfortunately, the ZIP archive was password protected. We started working on version 4.10 of the firmware: the file 410AAPJ2C0.bin is the firmware image in ZIP format. Firmware extractionįirst of all, we downloaded from the official website the same firmware images (version 4.10 and 4.70) for the USG310 device that were deployed by our customer.
In this first article of our Zyxel audit series we will cover firmware extraction and password decryption against Zyxel ZyWALL Unified Security Gateway (USG) appliances. In the meantime, let’s focus on the work we did while we were waiting for the device to arrive. Our next articles will cover the results of our analysis carried out on the physical device. Since we had some spare budget, we decided to buy a similar device on eBay and spend some time auditing it on our own.
Based on our observations, they had to be encrypted with a reversible algorithm because they were passwords that the device itself used, such as the PSKs of VPNs. When we did a Google search we could not find any public information on the Internet about how these passwords were stored. Thanks to our administrative access, we were able to dump the configurations and we noticed that a series of passwords stored on these devices were encrypted in some way. These appliances are targeted at small and medium businesses and are somewhat popular, at least according to Shodan. During a red teaming exercise conducted for one of our customers, we abused weak passwords to obtain an administrative access to some Zyxel ZyWALL Unified Security Gateway (USG) appliances that were used as both firewalls and VPN concentrators in their branch offices.
0 kommentar(er)
