Per Rapid7's disclosure policy at http://www.rapid7.com/disclosure.jsp, we are disclosing a discovered vulnerability regarding SOHO routers from hardware manufacturer ZTE. We have had no response from the vendor to our queries for a
suitable security contact and PGP key.
One usual aspect of this vulnerability is that it does not appear to be unique in its discovery, given the URLs cited below. As always, our goal with this disclosure is to strengthen the security of the Internet as a whole.
If you know a good security contact at ZTE, please let us know at firstname.lastname@example.org so that we may get confirmation from the vendor the next time we have something security-related to discuss with their products.
Many ZTE F460/F660 cable modems, preferred by ChinaTelecom and other China-based ISPs, ship with an unauthenticated backdoor. The existence of this backdoor is apparently already known in some circles. For example, see
the tutorial, here:
...which discusses how to remove web_shell_cmd.gch since it allows "any computer on the LAN can use this file to get the superuser password."
Several thousand of these devices are exposed to the Internet, according to a cursory search of the SHODAN Computer Search Engine:
Many of these devices also expose the web_shell_cmd.gch script, making it available to unauthenticated users from the WAN side of the cable modem. These cases appear to be a configuration error on the part of either the users or the users' ISPs.
Users can log in to the device and remove the script completely. This may impact functionality expected by the user, however, including the ability of the upstream ISP to perform routine maintence on the device.
Exercising the backdoor to open a listening telnet service, and change the root user's password, is trivial, as shown below:
sendcmd 1 DB p TelnetCfg sendcmd 1 DB set TelnetCfg 0 TS_UName root sendcmd 1 DB set TelnetCfg 0 TS_UPwd password1 sendcmd 1 DB set TelnetCfg 0 TS_Port "23"
A Metasploit module exercising the backdoor's functionality will be published as soon as a suitable test device is located for in-house testing, or when a Metasploit module is contributed from the open source security community.
Rapid7 would like to thank Offensive Security for their assistance with this vulnerability disclosure.
2013-12-23 (Mon): Vulnerability reported by Unknown
2013-12-23 (Mon): Vulnerability confirmed by Rapid7
2013-12-23 (Mon): Disclosure contact sought at email@example.com
2013-01-07 (Tue): Disclosed to CERT/CC
2013-03-03 (Mon): Public Disclosure