Adventures with Zyxel Routers


Multiple Zyxel devices are prone to critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is an unauthenticated buffer overflow in the custom „zhttpd“ webserver. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution (RCE). Besides that, multiple other vulnerabilities including unauthenticated file disclosure, authenticated command injection and processing of symbolic links on storage media were found in the firmware. This talk will detail the steps we took to analyze the embedded device and how we reverse engineered the webserver. Furthermore, we will showcase our Metasploit module that is able to gain a root shell on 50+ devices without authentication.


Steffen Robertz

Steffen Robertz is a Security Consultant at SEC Consult who specializes in embedded systems. In his Job, he focuses on retrieving and reverse engineering of firmwares in order to find vulnerabilities. Due to his background as an electrical engineering student, he also takes interest in RF systems and hardware development. He already published multiple security advisories via the SEC Consult Vulnerability lab.

Gerhard Hechenberger

Gerhard Hechenberger is a Security Consultant at SEC Consult who specializes in embedded systems and OT security and works in the SEC Consult Hardware Laboratory in Vienna. His main job is the assessment of embedded systems, IoT/OT devices and OT networks to uncover vulnerabilities. He is a holder of several IT security certificates and has already published multiple security advisories and blog posts, often in collaboration with Steffen Robertz.