Analysis of a preauth command injection
This article explains the process of identifying and exploiting a known flaw on Zyxel USG devices, taking into consideration the following CVE:
- CVE-2021-35029 – Authentication bypass & remote code execution, spotted in the wild on July 2021.
An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device. – CVE Mitre.
Currently, there is no published exploit available for this vulnerability, so we decided to delay publishing this blog post.
Furthermore, this blog post aims to show how to find such vulnerability in two different ways:
- With the standard approach, by diffing patched and unpatched firmware versions.
- With Joern, a valuable tool for vulnerability discovery and research in static program analysis.
This post was created with our nice and easy submission form. Create your post!