Pages

1/16/2014

Hunting for Zyxel rom-0 file decrypter

I stumbled upon this link today http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/
This is a vulnerability on TP-Link router (which using Zyxel firmware), that anyone can access to the configuration backup page without using any authentication and be able to download the configuration file (file name "rom-0"). Moreover, the configuration file, somehow, contains clear-text username and password.

However, the website the author mentioned that it can decrypt the "rom-0" data is on an external server and it doesn't even have a domain name. To be honest, I don't really trust any website like that.

I started looking for a way to decrypt the file "rom-0" with some keywords that he mentioned in the paper, like "lzs", "zynos", "devttys0.com", ...

I found many links pointing to a website at http://everlost.nl/kender/zyxel/source.zip, which should contain the source code of how to decrypt rom-0 file. Unfortunately, it was down and I can't even find everlost.nl exists.

Further investigation, I found that the previous website was owned by the person named Kender Arg, I then later found his related work about hacking Zyxel gateway at http://www.gnucitizen.org/static/blog/2008/04/hacking_zyxel_gateways_part_2.pdf

and an article about decrypting rom-0 file (which I want) was mirrored at this website
http://www.hakim.ws/huawei/rom-0/kender.html

This describes how he is able to understand the "rom-0" file and how he decrypt it. This article also has a link to the source code to decrypt the file, but it links to everlost.nl again which is not currently existed.

Since the implemented one doesn't work, the other way is to backtracking to the source of encryption algorithm as in this paper http://masters.donntu.edu.ua/2003/fvti/boykov/library/lzs.pdf.

Luckily, I found another implementation of LZS decrypter online, so I don't have to read and implement it myself. It's the project called "Zyxel-revert" which is hosted at http://git.kopf-tisch.de/?p=zyxel-revert;a=summary

What I need to do is grab the latest snapshot and compile it then run.

Here is the result
 At the end of the decompressing process, it crashed, but anyway the result is still readable and enough for me.


That's what I needed.

P.S.
I also found that the owner of the page www has wrote a program to automate this, with GUI and source code, called "Huawei-rom-0.exe" (http://www.hakim.ws/huawei/rom-0/)
It works with the sample inside the zip file, but it doesn't work for the rom-0 file I have.

One of my search result links to a file named "ZyXEL-Firmware.exe" (http://linkz.ge/file/342474/ZyXEL-Firmware.exe.html) which does the same things (decrypt .lzs file, and find strings in spt.dat). I tried it with my rom-0 and it crashed. I guess this is using the same engine as in the previous program.

One last thing, I found that this is not the new vulnerability. According to this http://www.hakim.ws/huawei/rom-0/kender.html, Kender has published this since 2008.
And I found that the website/tool named http://www.routerpwn.com which published on 2011 (according to this http://www.hakim.ws/2011/07/routerpwn-un-framework-de-exploitacion-de-routers/) has included this vulnerability.

Update 2013-01-20:
Sleepya has analyzed the result, and found the specific location for the password for router inside the decompressed file. It's starting at location 0x14 (or 20 in decimal). Therefore, we can use tools like, dd, hexdump, tail to skip the first 20 bytes and get the password which is the first string ending with \0.

11 comments:

  1. same for me.
    extract rom-0 with online tool now out of service

    ReplyDelete
  2. It worked!!!!

    ReplyDelete
  3. url "everlost.nl/kender/zyxel/source.zip"
    not download
    help me

    ReplyDelete
  4. i cant run the makefile. it says [event.o] Error 1

    ReplyDelete
  5. it says
    Index was out of range. Must be non-negative and less than the size of the collection.
    Parameter name: index

    ReplyDelete
  6. I have a copy of that source file previously on everlost.nl if you want.

    ReplyDelete
  7. This blog is so nice to me. I will continue to come here again and again. Visit my link as well. Good luck
    http://www.jualobataborsiherbal.com/ obat aborsi
    http://caramenggugurkankandungan.info/ cara menggugurkan kandungan
    http://www.jualobataborsiherbal.com/cara-menggugurkan-kandungan/ cara menggugurkan kandungan
    http://obataborsi59.com/ obat aborsi
    http://obattelatdatangbulan.info/ obat telat datang bulan
    http://klinikobataborsi.com/ jual obat aborsi
    http://jualobatpenggugurkandungan.net/ obat penggugur kandungan
    http://tandatandakehamilan.net/ tanda tanda kehamilan

    ReplyDelete