Zyxel sshd restricted shell escape
ZyXEL routers running the SSH-2.0-dropbear_0.46 are affected by restricted shell escape which isolate users on an interactive console with limited commands due to an insufficient validation of the user input by using substitution commands the attacker can execute commands with root privileges.
Successfully tested on ZyXEL models VMG1312-B10A and VMG1312-B10B with firmware versions V1.00(AAJZ.17)C0 and V1.00(AAVS.0)b21.
As we can see how the system commands return an error : “sshd:error:781.020:processInput:599:unrecognized command”, which suggests that the command is not recognized, this is because the sshd binary is programmed to execute commands that obey the router’s web management logic.
By using substitution commands we can escape the restriction measures and execute commands that we previously did not have access to, with root privileges.