Telnet backdoor

Backdoor
You can open a telnet backdoor by pressing the reset button for about 6 seconds (until you hear the second beep). This backdoor will close after about 2 minutes without activity.

On newer firmwares (>3.23?) this backdoor is closed, but now there is a webinterface backdoor; login on the userinterface as admin, and then enter the url: http:///zyxel/cgi-bin/remote_help-cgi?type=backdoor This will give a white page, there is no further conformation.

There is 1 usable login account, username NsaRescueAngel, which has root rights. The password can be found by running /sbin/makekey. It outputs a hash on the MAC address of the box.

This is a Catch-22. On older firmwares (< 3.0?) there is a second login, username admin password root, which has limited rights, but which can be used to determine the NsaRescueAngel password. On newer firmwares the default shell for this user is none.

To find the password on a newer firmware, there are several options:


 * Make a file with name "mykey.php" containing:

<?   echo shell_exec('/sbin/makekey'); exit;

Copy to the NSA, and open through a Web share (not File Explorer) - your NsaRescueAngel password is returned.


 * Use an FFP stick, and run /sbin/makekey
 * Run makekey on another NSA-2xx, and provide the right MAC address (All caps, seperated by colons) /sbin/makekey AA:BB:CC:DD:EE:FF
 * Download makekey and run it on your favorite ARM Linux box, providing the right MAC address (and hope that it runs).

Update NSA310 Firmware 4.22
The backdoor is opened by calling the script /usr/local/btn/open_backdoor.sh. The troubles with finding the key or using the NsaRscueAngel account are over! You can now use telnet with root and use the same password you use for admin! (Better would have been to allow login with "admin" only and then go su.)

For the NSA-310 you can also use the webinterface backdoor http:///zyxel/cgi-bin/remote_help-cgi?type=sshd_tdc

Root Access: NSA310 Firmware V4.70(AFK.1)
This is done by logging into the normal web administration GUI and then opening this URL: http:///r41773,/adv,/cgi-bin/remote_help-cgi?type=backdoor
 * Open up telnet backdoor.

The r41773 part is some number that changes by firmware revision but will be the same part as the URL you normally get when opening the administration GUI.


 * Telnet to find root password

telnet 

user is admin and the password is the same as you use for the web administration GUI. This user does not have full root rights but can be used to generate the NsaRescueAngel (root) password. Run: /sbin/makekey

This will give you some short password e.g.

FaEWaQO3


 * Disconnect Telnet

telnet 
 * Telnet again and login as root

This time use user NsaRescueAngel and the short password you got from step 2 above. e.g. FaEWaQO3

Now you should have full root and own the box.

Update NSA-320/NSA-325 Firmware 4.40
The SSH webinterface backdoor does not seem to work (returns result=0). The telnet webinterface backdoor can be used with this URL: http:///zyxel/cgi-bin/remote_help-cgi?type=backdoor

You can login using root with the admin password.

Note: If you changed the admin password, telnet login might not work. Follow these steps to fix this problem:
 * Change the admin password back to default using the web interface.
 * Login using telnet with root and the default admin password
 * Change the password through telnet using "passwd root".
 * Afterwards, you can change the admin password on the web interface back to what you prefer.

Update NSA-300 series Firmware 4.60
The /zyxel/ part is exchanged by /r38657,/adv,/, so the complete url is http:///r38657,/adv,/cgi-bin/remote_help-cgi?type=backdoor The number is different for each box and each firmware version. I think it's a revision number from SVN, or somethink like that. To find out what it's for you, have a look at the urls generated when you are entering the webinterface.

Medion boxes
On Medion boxes the /zyxel/ part of the url is obfuscated. Firmware 1.00: http:///r32694,/adv,/cgi-bin/remote_help-cgi?type=backdoor Firmware 1.01(UZD.0): http:///r34814,/adv,/cgi-bin/remote_help-cgi?type=backdoor Firmware 1.01(UZD.2): http:///r36258,/adv,/cgi-bin/remote_help-cgi?type=backdoor

You can login as root, using the admin web password.