New dump available (1.00(AAJG.0)D24b)

[paulmenzel]

Zyxel uploaded a new archive for the vmg7947-b40a, which should be the code for version 1.00(AAJG.0)D24b – no idea how to verify that.

$ wget --content-disposition https://www.dropbox.com/s/jww3i4a1hozgob5/vmg7947-b40a-20210322T082021Z-001.zip?dl=1

It’d be great, if you could add that dump.

[matthiasbock]

Thanks for the info! I'll look into it...

[paulmenzel]

According to the timestamp, the archives were created half a year ago in September 2020.

$ ls -lh --full-time HomeBox6641_consumer*
-rw-rw---- 1 user group 460M 2020-09-23 13:02:29.000000000 +0200 HomeBox6641_consumer.tar.gz
-rw-rw---- 1 user group 507M 2020-09-23 19:03:52.000000000 +0200 HomeBox6641_consumer_release.tar.gz

But inside the archives, the files are from 2019.

[paulmenzel]

The dump seems to contain some newer versions though.

-userspace/stollmann/callmngr/v0_1_52_8/
+userspace/stollmann/callmngr/v0_1_52_24/

[paulmenzel]

The included userspace/gpl/apps/dnsmasq.tar.bz2 has not changed since the initial commit 51d6a4d (Unpacked Zyxel's official firmware source code package 2014-09-22_o2HomeBox6641_opensource_package_b14.rar).

$ md5sum userspace/gpl/apps/dnsmasq.tar.bz2
fdd31c40e921d8af0368c56e349c2119  userspace/gpl/apps/dnsmasq.tar.bz2

As I strongly assume, that the vulnerability DNSpooq was fixed in the D24 release, I have serious doubt that the provided source code dump is complete.

[paulmenzel]

Before I contact Zyxel again, it’d be great if you could confirm this.