neligr eithan quantez

0 views

Skip to first unread message

Boyan Atanaschev

unread,

Aug 2, 2024, 11:41:15 PM8/2/24

to unlimeno

The Zyxel AC750 Dual-Band Wireless Range Extender (WRE6505) can be used as Wifi repeater or Wifi Access Point. We run it behind our internet modem as AP and I noticed it had the telnet port open. There was no option in the web interface to disable to telnet access so I decided to take a look.

Access via telnet is possible using the root username as well as the admin username. Both passwords are the same and in many cases they are the default '1234' password as set by the vendor.

The WRE6505 is running a embedded Linux distribution from MediaTek Ralink with a mini_httpd webserver and server processes that can discovered with the busybox enabled ps command. Part of the Ralink software image is also found on as source code on github ralink_sdk. The Acme mini_httpd is version 1.19 dating from 19 Dec 2003! The busybox software used to embedded device with limited storage is from 2008. At least the version info tells me so. This multi-call binary runs BusyBox v1.12.1 from 2008 but dates to "2015-10-23 16:51:27 CST". Not sure what to think of this one since the busybox is opensource and can be re-compiled by anyone using the needed features.

The web admin password is stored in plain text in the file /etc/pwd. With a bit of luck I am sure someone can lift it off the mini_httpd via path traversal or similar technique. The mini_httpd claims to be from year 2003 even though the Zyxel firmware is from late 2015. A newer version for Acme mini_httpd is available already on the web.

Tweaking via telnet of the /etc/fmtable file is possible. For example this makes it too easy for a banking trojan to alter the DNS entry. The software is provided already on the Wifi extender. All the malware needs to perform is alter the lookup table..

Note that the DNS server is actually the DNS of the ADSL modem or ISP but the request response is coming from the dnshijacking process that monitors traffic on port 53 (DNS protocol). In the dns lookup made with dig for a site in the UK where "thebank" is in the name gives the ip address from the lookup table. It is actually not a real bank but taken as example. :)

The dnshijacking process takes a far too wide parsing of the dns entry. It looks like it takes action to alter the DNS request if first characters of the host in the DNS request contain the name from an entry in the /etc/fmtable regardless of the rest of the domainname. The function to parse in the DNS request the "zyxelsetup" hostname and replace it with the default 192.168.1.2 is mis-usable for other purposes too. thebank --> resolves into --> 58.11.30.200
thebank.com --> resolves into --> 58.11.30.200
thebank.otherdomain.com --> 58.11.30.200It is also possible to place more entries into the /etc/fmtable file so one could redirect other traffic via Wifi extender to new ipaddresses of your choice. This is called: dnshijacking. DNS hijacking process in action.Normally in DNS hijacking the DNS itself is compromised but in this case the DNS is still running fine but the DNS hostname-to-ip resolve requests are altered on the wifi extender. It is in fact pure DNS traffic hijacking that is performed by the Zyxel Wifi extender.

By placing certain hostname combinations into the /etc/fmtable it is possible to stop Windows Updates and Zyxel Firmware updates completely for the devices connected via the Wifi Range Extender. And/or the requests can be redirected to another site.

First thinking to contact the vendor Zyxel about the missing menu item to enable/disable the telnet service on the device turned out to have a far greater list of issue to inform about once I started looking into the device:

Missing telnet enable/disable option in the webinterface.
Admin and root password are the same.
Admin and root password are stored in plain-text.
Outdated software for Busybox and mini_httpd.
Password for admin (and root) is also stored with unsecure Unix crypt format.
There is a configurable process called dnshijacker running that allows any arbitrary DNS request to be mapped into a new address.
Preventing the WRE6505 device to receive new firmware updates by altering the /etc/fmtable.

Resolution The list of security related issues I presented to Zyxel support was enough for Zyxel to take action. They are going to release a firmware update for this product on 16.04.2017 and it should be downloadable from this FTP location and also via the Web interface of the device the firmware can be updated.

Zyxel has published version 4 of the firmware. In the release notes also a version 3 exists and is dated 2016-04-20 but it never appeared for download. The latest firmware is available for download now: V1.00(AAQB.4)C0.bin. The release notes only mention that telnet is disabled which leaves the dnschanger process still vulnerable for alternate use cases...??