OpenWrt Forum Archive

Topic: PK5001Z root back door

The content of this topic has been archived on 11 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Can I talk about it, post it?

AFAICT, why not.

The su password is, remove the spaces:
z y a d 5 0 0 1

Interested in working with someone on this. I can't print hello in C, but have 20 amazon books on the subject. Also found the source code plus toolchain and playing around with compiling it. Readme said to use Fedora 11. No source code for any of the be_modules files where I found it hiding in plain text. But I presume these are optional.

Btw, what is the timeout for writing a message, fourth time, smaller every time.

(Last edited by occupymyday on 20 Jan 2016, 16:54)

Ordinarily, I don't mind to participate in this discussion. However, I don't have this hardware. So, I just can't do much with the discussion. Sorry about this.

The password doesn't seem to work for telnet or ssh, just su and ftp. Iptables has a BACKDOOR rule. Rolled new firmware with lots of mistakes, like not setting permissions on busybox correctly, still booted, couldn't su. Assuming I didn't know the admin password, would clobbering shadow via ftp work or I just can't make a salted shadow to replace it?

(Last edited by occupymyday on 24 Jan 2016, 17:02)

According to the system log, some curious stranger was able to login after 10 tries via telnet, maybe they broke the default salted passwords. Contrary to the web gui settings, telnet seems to run at boot.

If you come across one of these and the label with password is missing, press and hold the reset button for 30 seconds and the web gui credentials will be reset to root root and configuration file is cleaner than with the short reset.

Good work on the su password.  I was working on a different approach, after looking for web vulnerabilities on the ping utility I was starting to dissect the firmware upgrade and looking for a way in.

Your way was much easier! smile

The reason that you can't use that account to ssh is that the ssh agent does a lookup by appending _404A03SSH to the user name when you try to login.  Ftp name mangles it as well and so does Tel.

You can verify this by creating a new user called test like this:

# adduser -h /root -s /bin/sh -H test_404A03SSH

and then try to login via ssh with ssh test@192.168.0.1

your password will work.

Hey there. Sorry to revive an old thread, do you guys have an explanation on how to sign in, like what username, etc? I've tried admin, root, admin_404A03SSH, root_404A03SSH, and the password OP said doesn't work. I'm using PuTTY, and I've tried both Telnet and SSH. Thanks.

Any movement on this?  @occupymyday.... you feel like posting that link to the buildtree?  I'm thinking this might be worth a little bit of fun! smile

Sorry for waking up an ancient thread.

But. We just got a new PK5001Z (to replace an EQ-660R, ancient!), and I'd like to poke around with it a bit. I have decent knowledge of C, good knowledge of Linux workings, and some hardware hacking knowledge. Is there any particular reason that OpenWrt isn't available for the PK5001Z yet? AFAIK, that is the standard router given out by CenturyLink nowadays, and it'd be awesome to have OpenWrt for it.

Also, the root password is still z y a d 5 0 0 1, and the user and admin passwords are both CenturyL.

In response to recent IoT botnet attacks (https://www.trendmicro.com/vinfo/us/sec … e-wildfire), it appears that CenturyLink/ZyXEL has rolled a new firmware out remotely (compiled December 4th) without asking anyone or updating their website. It seems they changed all the passwords (root and to the super-secret support console at http://192.168.0.1/supportconsole_login.cgi), and now the file that sets all the passwords (/lib/be_modules/libberemotemgmt6.so) no longer has the passwords in plaintext. New libberemotemgmt6.so file is at https://my.mixtape.moe/oftykr.so if anyone wants to try reverse-engineering it to see how it sets the passwords; too lazy to get a MIPS toolchain running to disassemble it.

The old web interface hack to get root still works: log in and go to http://192.168.0.1/pingtrace.cgi?pingSi … %20root%60

sorry this post is a mess

EDIT: An old post about this router/modem combo got deleted for some reason; it was at https://forum.openwrt.org/viewtopic.php?id=43210. I'm guessing this was unintentional (lost in transition to new forum software maybe), but could a moderator or administrator please look up this post? I would like to see what was in it again.

(Last edited by Hitechcomputergeek on 7 Jan 2018, 00:01)

The discussion might have continued from here.