Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: ZyXEL VMG 1312-B10A encrypted passwords in XML config file  (Read 214 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 5383
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
ZyXEL VMG 1312-B10A encrypted passwords in XML config file
« on: July 13, 2018, 01:07:04 AM »

In the XML config file my modem-router saves an admin password as a string that has the format _encrypted_04way6blah=. In the modem's web UI, I typed in an administrator password then saved an XML config file using the backup option. I then loaded that file into several modems. When I did a save config on one of the modems, probably not the same modem, then the  'encrypted' gubbins in various password elements in the XML is different from what was in the original file.

I wonder what is going on? Any clue about the format ?

It presumably is not important, because the modem did not fail to load up the config XML ‘because it was saved on the wrong device’. I have written a program to take one saved XML file and alter it, to make the correct modifications to allow it to be loaded up into modem n on one of my various lines.

This nuisance has come about because I have got the modems configured with different admin interface IP addresses. Even though it seems that they would all work at a basic level in as far as they would connect to the internet and act as modems, I want them to talk to my router correctly so I can administer them through the router and read stats off them, without having to unplug them and plug them directly into some other machine first. And the way I have things set up involves me configuring different IP addresses in each modem. My ISP has an alternative technique where each modem in a multi-line setup has the same IP address, a superior method that avoids the need for distinct configurations, you do not have any issue with getting modems mixed up and modem swapouts are quicker. For various reasons though I am not keen on that approach.

I am hoping that I have not missed something. My proposed technique for making config changes is doing so either on a modem using the modem web UI and saving the XML or editing an existing XML reference template one or the other. Anyway this single XML will be used as an input to my program from which multiple generated per-modem variants will be created and uploaded into the other modems. This avoids the need to make changes n times and keep the config files all saved separately.
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 22839
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: ZyXEL VMG 1312-B10A encrypted passwords in XML config file
« Reply #1 on: July 13, 2018, 06:18:58 PM »

Login into the VMG1312-B10A device as "supervisor". Issue a "sh" command to the " > " prompt. (Note the changed prompt.) Look at the contents of the /etc/passwd file. The first & second fields on each line are the username & passwords, respectively. The password is encrypted with DES crypt (usage is strongly deprecated) where the first two characters (out of the total of thirteen) is the salt (taken from the base64 character set) and the remaining eleven characters is the encrypted password.

Exit from the Bourne shell back to the " > " prompt with a <Ctl>-D key press. Issue a "dumpcfg" command and capture the output. Search for, and examine, the <AdminPassword>_ZEncrypted_blah-blah</AdminPassword> line. That is the encrypted supervisor password. Search for, and examine, the two consecutive lines <UserName>admin</UserName> & <Password>_ZEncrypted_different-blah-blah</Password> lines. The latter is the encrypted admin password.

Now power-cycle that VMG1312-B10A device and look, once again, at the contents of the /etc/passwd file. Perform another "dumpcfg" command and capture the output. Find the three lines, as above.

The blah-blah and different-blah-blah sections of the two lines (i.e. that which follows the _ZEncrypted_ string) is the base64 representations of those two passwords.

The plain-text passwords are (clearly) unchanged. The salt is changed, hence the change in the second field of each line in the /etc/passwd file.

Finally -- and I do not have the time to find the relevant link -- TJ has posted about how ZyXEL manipulate such strings so that some are revealed and some are not, depending upon how they are viewed. Sorry, I know what I mean but I'm having a problem in expressing the information in words. Perhaps take a look through TJ's git repository for inspiration . . .
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 22839
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: ZyXEL VMG 1312-B10A encrypted passwords in XML config file
« Reply #2 on: July 13, 2018, 06:25:02 PM »

Further hints --

echo 'blah-blah' | base64 -d -i | cat -vet

echo 'different-blah-blah' | base64 -d -i | cat -vet

Where blah-blah and different-blah-blah have been replaced with the relevant strings copied from the dumpcfg output.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 22839
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: ZyXEL VMG 1312-B10A encrypted passwords in XML config file
« Reply #3 on: July 14, 2018, 12:46:48 AM »

I've just found the link (for which I was searching in my "what not") and it is to another of TJ's projects. It should also be relevant for the ZyXEL VMG1312-B10A.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

johnson

  • Reg Member
  • ***
  • Posts: 337
Re: ZyXEL VMG 1312-B10A encrypted passwords in XML config file
« Reply #4 on: July 14, 2018, 01:26:45 AM »

Perhaps take a look through TJ's git repository for inspiration . . .

Sorry if this is a little OT, but thank you for that link burakkucat!

Have been scratching my head for a little while trying to find some programmatic way of changing settings on zyxel devices, on my 1312 & 8324 at least the current settings appear to be saved under the persistent /data directory in a file called "psi". This file appears compressed and has the header:

Code: [Select]
<compressed alg=lzw len=28241>..........<crc=0xa59abd0a>....

I'd got as far as finding the lzw_decode.c and cms_lzw.h files in the source package but was at a loss how to use them properly. TJ's repo has this gem:
https://iam.tj/gitweb/?p=firmware_extractor.git;a=summary

Which surely has what I need, even if I haven't quite managed to get it to work yet. Have tried replacing the stored config in a firmware file with a psi from a running router at the correct offset in the binary, but it seems the firmware stored one is at least slightly different:
Code: [Select]
<compressed alg=lzw len=17259>...............i.@v2..f.y.
omitting the crc part.

Will keep messing with it.
Logged
 

anything