Disclosure: R7-2013-18, ZTE F460 and ZTE F660 web_shell_cmd.gch Backdoor

Blog Post created by todb Employee on Mar 3, 2014

Per Rapid7's disclosure policy at, we are disclosing a discovered vulnerability regarding SOHO routers from hardware manufacturer ZTE. We have had no response from the vendor to our queries for a

suitable security contact and PGP key.


One usual aspect of this vulnerability is that it does not appear to be unique in its discovery, given the URLs cited below. As always, our goal with this disclosure is to strengthen the security of the Internet as a whole.


If you know a good security contact at ZTE, please let us know at so that we may get confirmation from the vendor the next time we have something security-related to discuss with their products.




Many ZTE F460/F660 cable modems, preferred by ChinaTelecom and other China-based ISPs, ship with an unauthenticated backdoor. The existence of this backdoor is apparently already known in some circles. For example, see

the tutorial, here:


...which discusses how to remove web_shell_cmd.gch since it allows "any computer on the LAN can use this file to get the superuser password."


Several thousand of these devices are exposed to the Internet, according to a cursory search of the SHODAN Computer Search Engine: A01-12-2013


Many of these devices also expose the web_shell_cmd.gch script, making it available to unauthenticated users from the WAN side of the cable modem. These cases appear to be a configuration error on the part of either the users or the users' ISPs.




Users can log in to the device and remove the script completely. This may impact functionality expected by the user, however, including the ability of the upstream ISP to perform routine maintence on the device.




Exercising the backdoor to open a listening telnet service, and change the root user's password, is trivial, as shown below:


sendcmd 1 DB p TelnetCfg
sendcmd 1 DB set TelnetCfg 0 TS_UName root
sendcmd 1 DB set TelnetCfg 0 TS_UPwd password1
sendcmd 1 DB set TelnetCfg 0 TS_Port "23"


A Metasploit module exercising the backdoor's functionality will be published as soon as a suitable test device is located for in-house testing, or when a Metasploit module is contributed from the open source security community.




Rapid7 would like to thank Offensive Security for their assistance with this vulnerability disclosure.


Disclosure Timeline


2013-12-23 (Mon): Vulnerability reported by Unknown

2013-12-23 (Mon): Vulnerability confirmed by Rapid7

2013-12-23 (Mon): Disclosure contact sought at

2013-01-07 (Tue): Disclosed to CERT/CC

2013-03-03 (Mon): Public Disclosure