Share this page!

Colin Hardy 💻 Profile picture
Twitter logo
3 Jan, 13 tweets, 5 min read
#Zyxel announced CVE-2020-29583 fixing a backdoor admin account which gave attackers root on affected devices via SSH or web interface

If you want to examine the firmware you need to run a #known_plaintext_attack against an encrypted zip

Sounds hard; don't worry I got you... 👇
Zyxel have actually removed the backdoored firmware versions from their portal; but you can still grab the latest version or earlier versions for further inspection.

Example:

portal.myzyxel.com/my/firmwares?f…
Now, unzip the contents and you should have something like this
Running file on the .bin file suggests this is a zip archive, but if you attempt to unzip it from the command line, you'll see errors, as it's password protected
Let's flip to Windows and browse the archive using 7-Zip. We don't know the password to extract the zip, but we can see the file names, folder structure and file size
Browse through the folders and you'll find system-default.conf in the following location

455ABUH0C0.bin\db\etc\zyxel\ftp\conf\system-default.conf
Hey, wait, that file is 26729 bytes long. Didn't we see something like that in the original firmware zip?

Coincidence? I think not. Looks like we know some of the plaintext within the encrypted zip.
Now it's time to break out pkcrack. I use a mac, and you can install using homebrew, i.e.

brew install pkcrack

formulae.brew.sh/formula/pkcrack
I wrote a quick bash script which will help automate the process of cracking the zip.

We need to zip up the plaintext and also extract it and feed both to pkcrack along with the .bin we want to crack.

github.com/cybercdh/hacks…
Run the bash script in the same directory as the firmware .bin file, feed it the name of the firmware (not the full filename of the bin) and it will crack the zip in about 20 seconds.

You'll then have a cracked .zip file in your current directory
Ta-daaaa!
You'll want to pay attention to the file compress .img, this likely uses squashfs and therefore you can install squashfs using homebrew, and then run unsquashfs on the .img

formulae.brew.sh/formula/squash…
Now, browse the filesystem looking for goodness / badness.

Here we can see the backdoor user still actually exists in the latest firmware.

I'm sure you'll find some other interesting nuggets. Enjoy

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Colin Hardy 💻

Colin Hardy 💻 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cybercdh

Colin Hardy 💻 Profile picture
31 Dec 20
#SUPERNOVA #SolarWinds malware is actually pretty boring. So boring in fact, I made a video.

Thread 👇
Adversaries have injected a call to a method called DynamicRun() into the existing LogoImageHandler class. An existing method, ProcessRequest() has been trojan'ed to accept 4 GET parameters passed to the Orion web API Image
These GET parameters are designed to contain

"code" - a blob of C# code which is then compiled
"clazz" - the name of a class which is to be instantiated
"method" - the name of a method to call within the clazz
"args" - supplied to the aforementioned method Image
Read 6 tweets
Colin Hardy 💻 Profile picture
15 Dec 20
#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread 👇
The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand
FireEye did a great job in brute-forcing many of the hardcoded hashes and identified a big list of security tools that the malware is checking for

github.com/fireeye/sunbur…
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @cybercdh has new unrolls!

Check out other threads from @cybercdh!

Read all threads by @cybercdh