One is a password recovery menu only reachable via serial console and the other is diagnostic menu which is available via SSH. Secondly, there are two undocumented and password protected interfaces. “Unprivileged” users have full administrative privileges through SSH which also allows for obtaining encrypted credentials, which can then be trivially decrypted. Initially I wanted to write about poking around the firmware image and showing how one can use Ghidra to explore unknown binaries, but whilst looking around some libraries that are used by this switch I realised there is actually an interesting vulnerability to write about. All in all this has turned out to be an interesting exploration of both Ghidra and the GS.40(AAHH.2)C0.bix firmware image. While I have some experience with Hopper and radare2 I wanted to play with Ghidra to poke around the firmware for my Zyxel GS1900-8 switch which runs on a 32-bit MIPS CPU. Or, how I found multiple vulnerabilities on a lazy Sunday afternoon ⌗Įarlier this year the NSA released Ghidra, a reverse engineering suite with support for a large number of CPU/MCU instruction sets.
0 Comments
Leave a Reply. |