Telnet backdoor

From NAS-Central Zyxel Wiki
Jump to: navigation, search

Contents

Backdoor

You can open a telnet backdoor by pressing the reset button for about 6 seconds (until you hear the second beep). This backdoor will close after about 2 minutes without activity.

On newer firmwares (>3.23?) this backdoor is closed, but now there is a webinterface backdoor; login on the userinterface as admin, and then enter the url:

http://<ip-of-nas>/zyxel/cgi-bin/remote_help-cgi?type=backdoor

There is 1 usable login account, username NsaRescueAngel, which has root rights. The password can be found by running /sbin/makekey. It outputs a hash on the MAC address of the box.

This is a Catch-22. On older firmwares (< 3.0?) there is a second login, username admin password root, which has limited rights, but which can be used to determine the NsaRescueAngel password. On newer firmwares the default shell for this user is none.

To find the password on a newer firmware, there are several options:

  • Make a file with name "mykey.php" containing:
<? 
  echo shell_exec('/sbin/makekey'); 
  exit;

Copy to the NSA, and open through a Web share (not File Explorer) - your NsaRescueAngel password is returned.

  • Use an FFP stick, and run /sbin/makekey
  • Run makekey on another NSA-2xx, and provide the right MAC address (All caps, seperated by colons) /sbin/makekey AA:BB:CC:DD:EE:FF
  • Download makekey and run it on your favorite ARM Linux box, providing the right MAC address (and hope that it runs).



Update NSA310 Firmware 4.22

The backdoor is opened by calling the script /usr/local/btn/open_backdoor.sh. The troubles with finding the key or using the NsaRscueAngel account are over! You can now use telnet with root and use the same password you use for admin! (Better would have been to allow login with "admin" only and then go su.)

For the NSA-310 you can also use the webinterface backdoor

http://<ip-of-nas>/zyxel/cgi-bin/remote_help-cgi?type=sshd_tdc

Update NSA-320/NSA-325 Firmware 4.40

The SSH webinterface backdoor does not seem to work (returns result=0). The telnet webinterface backdoor can be used with this URL:

http://<ip-of-nas>/zyxel/cgi-bin/remote_help-cgi?type=backdoor

You can login using root with the admin password.

Note: If you changed the admin password, telnet login might not work.
Follow these steps to fix this problem:

  • Change the admin password back to default using the web interface.
  • Login using telnet with root and the default admin password
  • Change the password through telnet using "passwd root".
  • Afterwards, you can change the admin password on the web interface back to what you prefer.

Update NSA-300 series Firmware 4.60

The /zyxel/ part is exchanged by /r38657,/adv,/, so the complete url is

http://<ip-of-nas>/r38657,/adv,/cgi-bin/remote_help-cgi?type=backdoor

The number is different for each box and each firmware version. I think it's a revision number from SVN, or somethink like that. To find out what it's for you, have a look at the urls generated when you are entering the webinterface.

Medion boxes

On Medion boxes the /zyxel/ part of the url is obfuscated.
Firmware 1.00:

http://<ip-of-nas>/r32694,/adv,/cgi-bin/remote_help-cgi?type=backdoor

Firmware 1.01(UZD.0):

http://<ip-of-nas>/r34814,/adv,/cgi-bin/remote_help-cgi?type=backdoor

Firmware 1.01(UZD.2):

http://<ip-of-nas>/r36258,/adv,/cgi-bin/remote_help-cgi?type=backdoor

You can login as root, using the admin web password.