![]() ![]() ![]() This contained the real binaries used by the device: $ ls -lh bin This resulted in a few files which appear to be Busybox related, nothing that would indicate this being a switch firmware yet, except for an sqfs.img file: $ binwalk sqfs.imgĠ 0x0 Squashfs filesystem, big endian, lzma signature, version 3.1, size: 4219154 bytes, 549 inodes, blocksize: 131072 bytes, created: 03:49:3 $ cpio -vid -no-absolute-filenames < GS.40\(AAHH.2\)C0.bix-part-0-vmlinux_org.bin-initramfs Next I extracted the initramfs.gz o Linux with GNU cpio as it required the -no-absolute-filenames flag: $ gunzip GS.40\(AAHH.2\)C0.bix-part-0-vmlinux_ Writing initramfs to: GS.40(AAHH.2)C0.bix-part-0-vmlinux_ Writing kernel to: GS.40(AAHH.2)C0.bix-part-0-vmlinux_org.bin-kernel Writing to: GS.40(AAHH.2)C0.bix-part-0.gzĭecompressing to: GS.40(AAHH.2)C0.bix-part-0-vmlinux_org.bin A quick search revealed the gs1900fw project which was used to extract the firmware: % python gs1900fw.py -w GS.40\(AAHH.2\)C0.bix -eĬhecking file magic: Expected 0x83800000, found 0x83800000 The firmware image I used was downloaded from the Zyxel support site or you can grab it from their FTP site.īinwalk had a hard time figuring out what was in the bix file however it did get a number of binaries extracted that were of enough interest to pursue further exploration of this image. ![]() The passwords for these hidden menus are hardcoded in the firmware. One is a password recovery menu only reachable via serial console and the other is diagnostic menu which is available via SSH. Secondly, there are two undocumented and password protected interfaces. “Unprivileged” users have full administrative privileges through SSH which also allows for obtaining encrypted credentials, which can then be trivially decrypted. ![]() Initially I wanted to write about poking around the firmware image and showing how one can use Ghidra to explore unknown binaries, but whilst looking around some libraries that are used by this switch I realised there is actually an interesting vulnerability to write about. All in all this has turned out to be an interesting exploration of both Ghidra and the GS.40(AAHH.2)C0.bix firmware image. While I have some experience with Hopper and radare2 I wanted to play with Ghidra to poke around the firmware for my Zyxel GS1900-8 switch which runs on a 32-bit MIPS CPU. Or, how I found multiple vulnerabilities on a lazy Sunday afternoon ⌗Įarlier this year the NSA released Ghidra, a reverse engineering suite with support for a large number of CPU/MCU instruction sets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |