Backdoors in Zhone GPON 2520 and Alcatel Lucent I240Q

Backdoors in Zhone GPON 2520 and Alcatel Lucent I240Q

Posted on January 08, 2015 by Roberto Salgado

While examining the "dropbear" binary for the SSH of these routers, we found that both of them have backdoors that allow users with SSH access to connect to these devices with maximum privileges.

The research was conducted by analyzing a copy of the "dropbear" binary of these devices in the following manner:

1. Run the following PoC to disable the firewall, obtain the FTP credentials and access the device through SSH as root (http://websec.ca/advisories/view/Zhone-GPON-2520-remote-root-shell-backdoor).

2. Enable the router's FTP service.



3. Create the folder for the user "ont" under /tmp/home/ont. This folder will be used to store our binaries, so we can download them via FTP and then analyze.



4. Next we copy the "dropbear" binary to the temporary folder we just created.



5. Now we access the router via FTP and download the "dropbear" binary we just copied.



6. After downloading the binary, we can find quite a bit of interesting information by simply analyzing the binary's strings. You can use a hex editor or any other tool capable of viewing the contents of the binary (in my case I used IDA Pro and went to Window Strings).



The first thing that caught my attention was the following line:

admin : huigu309


I immediately went ahead and tried that string as a username and password combination for SSH, which unfortunately did not grant me access as I expected. However, after a few more attempts I found that by using "root" as the username with "huigu309" as the password I was able to get in.

root : huigu309



I continued analyzing the strings in the binary and found more backdoor accounts:

 

ONTUSER : SUGAR2A041 




CRAFTSPERSON : ALC#FGU



To improve the security of these devices, I suggest creating firewall rules through iptables to limit the traffic to these ports internally and not through the WAN interface. An alternate solution would be to replace the "dropbear" binary for one that does not contain these backdoors.

 

This post was originally written by Luis Ramirez and translated by Roberto Salgado. The originally post in Spanish can be found here.

Latest Blog Entries

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

New publication: Mastering the Nmap Scripting Engine
We invite you to learn more about the latest publication from our team, "Mastering the Nmap Scripting Engine".

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.