Security researcher ReSolver announced the discovery of hardcoded credentials (CVE-2022-40602) in ZyXEL LTE3301-M209 LTE indoor routers.
In previous research, the expert discovered a Telnet backdoor in D-Link DWR-921 which is also present in the ZyXEL LTE3301-M209 as well.
The researcher analyzed the commander ELF, focusing on the amit* functions that were containing the backdoor in D-Link routers.
Unlike the D-Link analysis, the researchers has no physical access to the device and attempted to retrieve the password from the config.
“The firmware is basically a merge of 3 sections, the LZMA section is the kernel, at 0x148CD6 the root-fs and at 0x90BD36 the www content.” wrote the expert. “Inside the last Squashfs there is a [censored] file which is contains at 0x10 the Zlib magic bytes.”
Once unpacked the file, ReSolver noticed the following sequence:
Despite he did not find Telnet credentials, he discovered something which looks like a backdoor in the webUI.
“Same as before and unpack the config.dat is going to contain the telnet login password” states the expert. “Let’s put things together: On ZyXEL LTE3301 we have two ways to own the device:
Owners of impacted devices have to upgrade them with the latest firmware release as soon as possible.
Below is the timeline for this issue:
The expert and the Zyxel PSIRT decided to avoid disclosing the credentials the prevent massive exploitation in the wild.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, ZyXEL LTE3301-M209)