Zyxel sshd restricted shell escape

ZyXEL VMG1312-B10B preview

ZyXEL routers running the SSH-2.0-dropbear_0.46 are affected by restricted shell escape which isolate users on an interactive console with limited commands due to an insufficient validation of the user input by using substitution commands the attacker can execute commands with root privileges.

Successfully tested on ZyXEL models VMG1312-B10A and VMG1312-B10B with firmware versions V1.00(AAJZ.17)C0 and V1.00(AAVS.0)b21.

Restricted shell preview

As we can see how the system commands return an error : “sshd:error:781.020:processInput:599:unrecognized command”, which suggests that the command is not recognized, this is because the sshd binary is programmed to execute commands that obey the router’s web management logic.

Escaping using command substitution

By using substitution commands we can escape the restriction measures and execute commands that we previously did not have access to, with root privileges.

Unrestricted reverse shell

References

CWE-20: Improper Input Validation

--

--

--

Red Team Analyst and Security Researcher, passionate about technology.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gabriel Romero

Gabriel Romero

Red Team Analyst and Security Researcher, passionate about technology.

More from Medium

ZyXEL privilege escalation through micro_httpd web server

Previse Writeup — HackTheBox

Lab: Username enumeration via subtly different responses

Hack The Box::Backdoor