How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure )

Hello everyone, I just wanted to discuss some vulnerability I found and exploited for GOODNESS .. just so that SCRIPT KIDIES won’t attack your home/business network .

Well, in Algeria the main ISP ( Algerie Telecom ) provide you with a router when you pay for an internet plan. So you can conclude that every subscriber is using that router . TD-W8951ND is one of them, I did some ip scanning and I found that every router is using ZYXEL embedded firmware.

Analysis :

Let’s download an update and take a look at it and try to find some vulnerabilities. ( http://www.tp-link.com/Resources/software/TD-W8951ND_V3.0_110729_FI.rar )

Image

The ras file is in LIF format !! …
Hmmm let’s put that file for Binwalk test for God’s sake ! ( check : http://code.google.com/p/binwalk/wiki/Installation for more informations on how to install it ).

This is what Binwalk told me about that file :
Image

You can clearly see and confirm that the router is using zynos firmware. We can also see that there is two blocks of LZMA compressed data … let’s extract them and have a look.
Image

The problem is that when I tried to decompress the two blocks I get an error : ” Compressed data is corrupt “Image

Hmm, first the “ras” file was in LIF format .. and now the lzma compress blocks are corrupted !!
I googled this and tried to find a solution for this, FOUND NOTHING . How am I going to solve this ??
One idea came in my mind .. “Strings” command and here is what I got :

Image

Aaaah ! so the blocks aren’t compressed with LZMA or anything ! and the whole “ras” firmware file is just big chunk of data in clear text.
Ok, let’s try and find some useful STRINGS …

After some time searching “I” didn’t find the useful thing that will help us find vulnerabilities on the firmware !!

I didn’t give up …
I just was thinking and questioning :

  • Me: What do you want from this firmware file !
  • Me: I want to find remote vulnerabilities that will help me extract the “admin” password.
  • Me: Does the web interface let you save the current configuration ?

Image

  • Me: yes !!
  • Me: Is the page password protected ?

Image

  • Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !

Ok, enough questions haha ..

Now, when I activated TamperData and clicked “ROMFILE SAVE”  I’ve found out that the rom-0 file is located on “IP/rom-0” and the directory isn’t password protected or anything.

So we are able to download the configuration file which contains the “admin” password. I took a look at rom-0 file and couldn’t figure out how to reverse-engineer it, and when you don’t know something it’s not a shame to ask for help .. and that’s what I did !
I contacted “Craig” from devttys0.com, he is an expect when it comes to hacking embdded devices . He’s a great guy and he replied to my email and pointed me to http://50.57.229.26/zynos.php which is a free rom-0 file decompressor .

Image

When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .

So what i need to do now is to automate the process of :

  • Download rom-0 file.
  • Upload it to http://50.57.229.26/zynos.php
  • get the repy back and extract the admin password from it.
  • loop this process to a range of ip addresses.

And that’s exactly what I did, I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords. So what I just need to do now is to add some functionality to it.

Well I thought about  this, and I’m posting this script online ONLY FOR EDUCATIONAL PURPOSES.

You can find the scripts here : https://github.com/MrNasro/zynos-attacker/

Demo :

Image

PS : I OWN ALL THE IP RANGE I WAS SCANNING ” FOR SURE 😉 “

Prevention :

Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network :
forward

THATS ALL, or if you want to play a little with attackers that are using scripts too .. just forward port 80 to you local http server and put a LARGE file in the root directory and name it rom-0 .. just let them download like 1GB rom-0 file haha haha .. I have also automated the process of port forwarding and I’m running the scripts daily just to prevent hackers from attacking weak users …

In the next post I’ll demonstrate how would a malicious hacker exploit this to hack TONS of networks and get a meterpreter/reverse_shell on every PC on the target network ..

Hope you enjoyed this analysis, if you have anything to add or any questions to ask don’t hesitate to contact me ! BE THEIR HERO, HAPPY HACKING 😉

UPDATE:

The decoded.php script is now located at : http://198.61.167.113/zynos/decoded.php , I have updated the code.py script

Tagged , , , , , ,

113 thoughts on “How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure )

  1. karim says:

    elllah ybarak ekhii wlh plactek mashi f tzeyer il fau ke t9ala3

  2. mOEZ says:

    gREAT SAHBI….SO PROUD OF U !

  3. taliboo says:

    It is really a great article and well-explained, I will give it a try on this router which i am using right now at ” INELEC ” XD ,, THX , Keep it up (y)

  4. _m4tux says:

    GooD Work bro 🙂
    you should use twitter , so we can read your news !

  5. […] hacker Abdelli Nassereddine has discovered serious vulnerability in the TP-LINK TD-W8951ND routers provided by the largest Algerian ISP […]

  6. Winston Avalon says:

    In actual fact, you do not even need to decrypt the password. Just work on a similar model, save your own password into the file and overwrite it by uploading your rom-0. Yes, the upload function is not protected as well. ^_^

    • Nasro says:

      Well I tried this , but you’ll then lose the target as it’ll reboot and will be assigned with new IP address .. 🙂

      • bEcArE says:

        No No 🙂 you can
        1- add new user and password and try to find him again by hydra
        OR
        2- dyndns
        OR
        3- port forward unique port and scan the network for him

  7. barloul says:

    salem, nasro khoya ellah yahafdek wi berk fik mais j’ai pas pu faire la manip qui consiste a changer le serveur virtuel je ne trouve pas la page correspondante sur mon routeur merci de me guider et bonne continuation.

  8. barloul says:

    Re-salem, en fin de compte j’ai pu faire la manip j’ai juste aller fouiner un peu du coté de la NAT et puis j’ai accedé au virtual server et j’ai suivi votre exemple merci beaucoup mais j’ai quelques questions: est-ce que ta méthode est comme en dit “bulletproof” ou bien doit-je chercher dés maintenant un bon modem-routeur au lieu de ce tp-link merdique? à propos que me conseil-tu comme marque de routeur avec un bon rapport qualité-prix? merci d’avance.

    • Nasro says:

      Thanks for your comment :), well .. the prevention method I posted is guaranteed “Port forwarding” and they’ll not be able to extract your rom-0 config file, but only from outside of the network. So if somebody is already inside your LAN and he browse to “192.168.0.1/rom-0” he will still be able to download it.

      If we’re talking about a business network, the best option is to implement a more secured one like “CISCO” ..

  9. Anonymous says:

    Was pwning using this way since 2011

  10. […] going to recap from the last post. So what I’m about to demonstrate in this video is what impact once the router is attacked […]

  11. […] Nassereddine, penetration tester and Algerian Computer Science Student has reported highly critical unauthorized access and password disclosure vulnerabilities in the Routers provided […]

  12. Kekkonen says:

    When I try your script it says “Success” but not the password

  13. jonpaulh says:

    The URL http://50.57.229.26/zynos.php no longer seems to be working. Do you have an alternative or a copy of http://50.57.229.26/decode.php?

  14. Admirer says:

    50.57.229.26/ inaccessible
    why? are there any other alternatives?

  15. […] IT security blog) informs – there is massive attack on polish Wi-Fi Routers, which exploit this security […]

  16. Admirer says:

    you have a script? may be run on localhost… THANKS

    • QNA says:

      Yahh, thanks for your articles. 50.57.229.26 may be blocked by my ISP.

      I found many links pointing to a website at http://everlost.nl/kender/zyxel/source.zip, which should contain the source code of how to decrypt rom-0 file. Unfortunately, it was down and I can’t even find everlost.nl exists.

      Nasro, please write a script or a tool (C#..) to decode rom-0. You can send it to my email. Thank you, I really appreciate it.

      -Educational purposes only- HAPPY HACKING

  17. […] IT confidence outfit Niebezpiecznik.pl related a attacks to a disadvantage reported final month in ZyNOS, a router firmware combined by ZyXEL Communications that’s apparently also used in some router […]

  18. […] IT security outfit Niebezpiecznik.pl linked the attacks to a vulnerability reported last month in ZyNOS, a router firmware created by ZyXEL Communications that’s apparently also used in some router […]

  19. […] security outfit Niebezpiecznik.pl, the attackers probably exploited a flaw in the router firmware ZyNOS router firmware created by ZyXEL Communications and used in many router models from other […]

  20. kzelda says:

    New GitHub repo for decompressing rom-0
    https://github.com/kzelda/ZynOSDecode

  21. qwe says:

    A little more on the rom-0 decode: http://pastie.org/7300059

  22. mahmoud says:

    hey guys i have been trying to access to https://50.57.229.26/zynos since 30/1/2014
    but its not working
    can any one help me about this trouble ?

  23. jonpaulh says:

    Anyone else who cannot access https://50.57.229.26/zynos.php, it seems there is a lack of decoders around and this one is offline. However, looking at the cached version of the page links us to the twitter page for @routerpwn, their most recent tweet is to these scripts
    https://github.com/alguien-gh/scripts/tree/master/exploits/rom0x
    The scripts include a C file that allows for decompression of LZS files. The script expects a single ip and therefore will need to be modified for a range. A mix of this and Nasros scripts should do it.

  24. kzelda says:

    The Hacker SADAM213 started His baby script !
    he changed the password of the victim router , he put the password : sadam213xx

  25. Abed says:

    could any give the source code of zynos.php

  26. […] security outfit Niebezpiecznik.pl, the attackers probably exploited a flaw in the router firmware ZyNOS router firmware created by ZyXEL Communications and used in many router models from other […]

  27. kzelda says:

    another access to provider password :: http://192.168.1.1/basic/tc2wanfun.js

  28. Tan says:

    @kzelda: Can you upload zynos decoder and give me the link?

  29. […] Nassereddine 11 stycznia przeprowadził analizę firmware’u routera i odkrył, że bez żadnego uwierzytelnienia można dostać się do podstrony […]

  30. lamers says:

    go home drunk

  31. […] security outfit Niebezpiecznik.pl, the attackers probably exploited a flaw in the router firmware ZyNOS router firmware created by ZyXEL Communications and used in many router models from other […]

  32. Nasro, no offense but this is a really (really) old vulnerability. Just take a look at Adrian Pastor’s report from 2008 (6 years ago).

    I’ve come in contact with these babies a long time ago, living in a place where there are many security cameras.

  33. Antish says:

    I have the decoder offline those who need drop me an email .

  34. shang says:

    Does the “Router Pass View” program open rom-0 files? Then you wouldn’t need those zynos site alternatives. Let me know here if that program opens rom-0 files. For example, it does decode TP-LINK DES encrypted .bin (or .cfg) switch/router/AP files.

  35. […] months, several exploits have been published showing how to use them to compromise routers made by Zyxel and TP-Link. Interestingly, such attacks often must be launched from another device already […]

  36. […] vulnerability in ZyXEL’s ZynOS was discovered by researcher back in January which allows attacker to directly download the routers configuration […]

  37. […] vulnerability in ZyXEL’s ZynOS was discovered by researcher back in January which allows attacker to directly download the routers configuration […]

  38. […] months, several exploits have been published showing how to use them to compromise routers made by Zyxel and TP-Link. Interestingly, such attacks often must be launched from another device already […]

  39. […] vulnerability in ZyXEL’s ZynOS was discovered by researcher back in January which allows attacker to directly download the routers configuration […]

  40. jmv2009 says:

    This looks like generic trendchip firmware (Billion, Tplink, Sitecom, Michelangelo, Edimax, Trust, Airline, Topcom, etc). Could be all vulnerable.

  41. […] le mot de passe d’administration n’aura pas été changé) à la plus récente (attaque ROM-0), en passant par la technique classique de Cross-Site Request Forgery […]

  42. Bashar Subh says:

    hey guys, http://50.57.229.26/zynos is changed to http://198.61.167.113/zynos
    and if you want to know how that works :show this video from youtube

    best regards ..

  43. […] months, several exploits have been published showing how to use them to compromise routers made by Zyxel and TP-Link. Interestingly, such attacks often must be launched from another device already […]

  44. […] banyak yg membahas hal ini. Bagaimana bisa terjadi bisa dilihat di sini, intinya karena file rom-0 modem bisa diakses pihak lain, tanpa password. Di blog rootatnasro […]

  45. kifcaliph says:

    Thanks for your effort
    I’d like to ask you how to forward port 80 on the router to and inused IP address as I don’t have this settings on my website

    • Nasro says:

      Hi,
      If you want to forward port 80 then you have to login to the router dashboard with the IP address like : http://192.168.1.1/ using the browser then enter the username and password and if you haven’t changed them yet then they should be both “admin”. from there click on “Advanced Setup”->”NAT”-> select the “Virtual Circuit” you are using, if you don’t know that then navigate to “Status” you should find it there (example: PVC2 ). Now go back to “NAT” select the PVC two options should be available now click on “Virtual Server” fill these information under some “Rule index” :

      Application : anything
      Protocol : ALL
      Start Port Number : 80
      End Port Number : 80
      Local IP Address : unused IP address, for example 192.168.1.254

      And you’re done ! 🙂

      • delunk says:

        now just use 8080 port instead 🙂

      • dAdA says:

        Doesn’t work like that in mine. I did as you advised but if I type – my current IP address/rom-0 – the file is still downloadable. My router is constantly attached. The only thing that slows down attackers is to change the gateway IP (along with the subnet one). But eventually the program they run will get my IP (up until now the only thing it does is to reset the router using the 192.168.1.1 IP and setting a random password). When this happen I have to just download the rom-0 file, unpack it and get the new password.

    • bEcAr3 says:

      @Nasro, Why you need to port-forward and you have ACL in Access mangment,
      And I think when you forward port:80 the managment port will be 8080, so forwarding will not fix anything.

  46. […] Nassereddine, penetration tester and Algerian Computer Science Student has reported highly critical unauthorized access and password disclosure vulnerabilities in the Routers provided […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: