How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure )

Hello everyone, I just wanted to discuss some vulnerability I found and exploited for GOODNESS .. just so that SCRIPT KIDIES won’t attack your home/business network .

Well, in Algeria the main ISP ( Algerie Telecom ) provide you with a router when you pay for an internet plan. So you can conclude that every subscriber is using that router . TD-W8951ND is one of them, I did some ip scanning and I found that every router is using ZYXEL embedded firmware.

Analysis :

Let’s download an update and take a look at it and try to find some vulnerabilities. ( )


The ras file is in LIF format !! …
Hmmm let’s put that file for Binwalk test for God’s sake ! ( check : for more informations on how to install it ).

This is what Binwalk told me about that file :

You can clearly see and confirm that the router is using zynos firmware. We can also see that there is two blocks of LZMA compressed data … let’s extract them and have a look.

The problem is that when I tried to decompress the two blocks I get an error : ” Compressed data is corrupt “Image

Hmm, first the “ras” file was in LIF format .. and now the lzma compress blocks are corrupted !!
I googled this and tried to find a solution for this, FOUND NOTHING . How am I going to solve this ??
One idea came in my mind .. “Strings” command and here is what I got :


Aaaah ! so the blocks aren’t compressed with LZMA or anything ! and the whole “ras” firmware file is just big chunk of data in clear text.
Ok, let’s try and find some useful STRINGS …

After some time searching “I” didn’t find the useful thing that will help us find vulnerabilities on the firmware !!

I didn’t give up …
I just was thinking and questioning :

  • Me: What do you want from this firmware file !
  • Me: I want to find remote vulnerabilities that will help me extract the “admin” password.
  • Me: Does the web interface let you save the current configuration ?


  • Me: yes !!
  • Me: Is the page password protected ?


  • Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !

Ok, enough questions haha ..

Now, when I activated TamperData and clicked “ROMFILE SAVE”  I’ve found out that the rom-0 file is located on “IP/rom-0” and the directory isn’t password protected or anything.

So we are able to download the configuration file which contains the “admin” password. I took a look at rom-0 file and couldn’t figure out how to reverse-engineer it, and when you don’t know something it’s not a shame to ask for help .. and that’s what I did !
I contacted “Craig” from, he is an expect when it comes to hacking embdded devices . He’s a great guy and he replied to my email and pointed me to which is a free rom-0 file decompressor .


When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .

So what i need to do now is to automate the process of :

  • Download rom-0 file.
  • Upload it to
  • get the repy back and extract the admin password from it.
  • loop this process to a range of ip addresses.

And that’s exactly what I did, I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords. So what I just need to do now is to add some functionality to it.

Well I thought about  this, and I’m posting this script online ONLY FOR EDUCATIONAL PURPOSES.

You can find the scripts here :

Demo :



Prevention :

Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network :

THATS ALL, or if you want to play a little with attackers that are using scripts too .. just forward port 80 to you local http server and put a LARGE file in the root directory and name it rom-0 .. just let them download like 1GB rom-0 file haha haha .. I have also automated the process of port forwarding and I’m running the scripts daily just to prevent hackers from attacking weak users …

In the next post I’ll demonstrate how would a malicious hacker exploit this to hack TONS of networks and get a meterpreter/reverse_shell on every PC on the target network ..

Hope you enjoyed this analysis, if you have anything to add or any questions to ask don’t hesitate to contact me ! BE THEIR HERO, HAPPY HACKING ;)


The decoded.php script is now located at : , I have updated the script

Tagged , , , , , ,

77 thoughts on “How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure )

  1. geo target says:

    This is the perfect blog for nybody who would like tto fijd out about this topic.
    You know so much its almost tough to argue with you (not that I actually will need to…HaHa).
    You dwfinitely put a fresh spiun on a subject which has been discussed for years.
    Great stuff, just excellent!

  2. […] edebilir? Biraz araştırma yaptığımda, özellikle eski model TP-LINK modemleri etkileyen, Zynos / ROM-0 olarak bilinen bir güvenlik açığının olduğunu […]

  3. meani says:

    Hi! Your article is most enlightening. Had a doubt though: if I forward port 80 to an unused IP address in my network, would that also not stop me from accessing the web-based router admin page? i.e., along with essentially turning http://IP/rom-0 into a dummy, will it also not turn http://IP into the same? In that case how would I administer the router?
    I seem to be the unfortunate victim of Misfortune Cookie and so trying out different things to make my router safer, since there is no scope to upgrade the firmware.

  4. Ajvar says:

    Wow! Thanks! Maybe THAT’s the reason why my router constantly being DNS-hacked!
    It’s TP-Link TD-W8901G and I’m shocked that I had to create 20 symbols passwords which were so easy to read by anyone!

    Thanks for that!

  5. Mr.Bot says:

    OMG man I love you :D :D :D lets playy game whit my friend :D

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 215 other followers

%d bloggers like this: