For Zyxel routers such as the VMG8924 and owners who want access to the unencrypted supervisor password without having to use cracking tools.
This modified executable of
/bin/zycfgfilter allows the unencrypted passwords of the supervisor, admin, and other users to be exported via the regular administration web interface (Maintenance > Configuration > Backup Configuration).
The entries in the
configuration-backupsettings.conf file will only be Base64 encoded and will look similar to this:
<AdminPassword>_ZEncrypted_MzBlZWM4Y2YA</AdminPassword> <UserName>admin</UserName> <Password>_ZEncrypted_MTIzNAA=</Password>
To decode them strip the leading "_ZEncrypted_":
# supervisor (a.k.a. root - UID = 0) for device serial # 31005832 echo MzBlZWM4Y2YA | base64 -d 30eec8cf # 'admin' default echo MTIzNAA= | base64 -d 1234
The only difference in the modified
zycfgfilter is that all the strings within the executable that refer to the XML nodes that store passwords had the Upper Case "P" of "Password" converted to a lower case "p". This means the filter fails to match the entries fed to it from
dumpmdm and so only does base64 encoding of the passwords.
The reason this works is
zycfgfilter is called by the httpd service to filter out sensitive entries that the
dumpmdm tool (available in the router's CLI) outputs.
The original file is at
That cannot be over-written because it is in a read-only file system. But the shell PATH variable has other directories listed before
/bin/ where the modified file can be put, meaning it'll be executed instead of the system file. In this case the directory (which doesn't exist by default) to use is "
The original trick I discovered back in 2014 to execute shell commands from the terminal CLI:
> cat& bash
has been closed off in recent firmware upgrades, so there's another way to execute commands. It's a bit more convoluted and less than ideal but it's enough to do emergency hacking. This new method is to create a sub-shell with $(...) to execute a single command. E.g:
> echo $(uname -a) Linux (none) 2.6.30 #3 SMP PREEMPT Thu May 25 18:09:29 CST 2017 mips GNU/Linux
To install on a Zyxel router (e.g. VMG8924) do, from a PC:
# set router IP RIP=10.254.1.254 # Either: ssh admin@$RIP # Or: telnet $RIP # login: admin > echo $(mkdir /home/bin) > echo $(wget http://iam.tj/projects/zyxel/zycfgfilter -O /home/bin/zycfgfilter) Connecting to iam.tj (18.104.22.168:80) zycfgfilter 0% | | 0 --:--:-- ETAEOMTime:1501717911.174968 2017-08-02T23:51:51.174968 zycfgfilter 100% |*************************************************| 66604 --:--:-- ETA 200 OK, File Get Success > echo $(ls -l /home/bin) -rwxr-xr-x 1 supervis root 66604 Aug 2 23:17 zycfgfilter
Now use the web interface to backup the configuration file to the PC and it will contain the passwords with the base64 encoding.
If you don't trust my modifications - although they are only conversions of "P" to "p" in several occurances of "Password" - then do it yourself by copying and modifying the file.
The SHA of the modified file is:
shasum zycfgfilter 9aa2a0b54c258b7d67a075db9ddc9f77f110c064 zycfgfilter
This is in the
SHASUMS file. I've signed that file using GNU Privacy Guard (gpg) and the detached signature is
SHASUMS.gpg. Both these files are in the same directory as
My public key ID is and the fingerprint is:
2C9A BEB5 03E2 285A 6A5B 8A91 EFEC 37A4 29CD 6080
To add my public key to your keyring using its fingerprint:
gpg --keyserver keyserver.ubuntu.com --recv 0x2C9ABEB503E2285A6A5B8A91EFEC37A429CD6080
Once you've imported my public key to your keyring verify the SHASUMS file hasn't been tampered with:
gpg2 --verify SHASUMS.gpg SHASUMS gpg: Signature made Thu 03 Aug 2017 01:11:19 BST using RSA key ID 9ACC1423 gpg: Good signature from "TJ <email@example.com>" [ultimate] ....
and then check the file(s) you've downloaded matches:
shasum -c SHASUMS zycfgfilter: OK README.html: OK README.md: OK
Any comments please direct to the forum thread at:
This document created using:
pandoc --toc -s -t html5 -o README.html README.md