I've just read an interesting article entitled "who makes the IoT things under attack", explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you've updated the firmware when available, and changes the default admin/admin in the user interface, you'd be relatively safe. You'd be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.
That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.
sudo nmap -sS 192.168.0.1 Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT Nmap scan report for 192.168.0.1 (192.168.0.1) Host is up (0.00034s latency). Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 1900/tcp open upnp 49152/tcp open unknown MAC Address: 94:0C:6D:XX:XX:XX (Tp-link Technologies) Nmap done: 1 IP address (1 host up) scanned in 14.15 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
sudo nmap -sS 192.168.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT
Nmap scan report for 192.168.0.1 (192.168.0.1)
Host is up (0.00034s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 94:0C:6D:XX:XX:XX (Tp-link Technologies)
Nmap done: 1 IP address (1 host up) scanned in 14.15 seconds
UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.
Now I did the same on the ZTE modem in the local network first:
sudo nmap -sS 192.168.1.1 Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT Nmap scan report for 192.168.1.1 (192.168.1.1) Host is up (0.00086s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
sudo nmap -sS 192.168.1.1
Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:10 ICT
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00086s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 20.12 seconds
The telnet port is opened that's not good… I would be much worse if it was also open with the public IP:
sudo nmap -sS MODEM-PUBLIC-IP Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:11 ICT Nmap scan report for MODEM-PUBLIC-IP Host is up (0.00088s latency). Not shown: 996 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 22.71 seconds
1
2
3
4
5
6
7
8
9
10
11
12
sudo nmap -sS MODEM-PUBLIC-IP
Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-06 10:11 ICT
Nmap scan report for MODEM-PUBLIC-IP
Host is up (0.00088s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 22.71 seconds
Oh boy…. That's not good at all. Can I access it from the outside?
telnet MODEM-PUBLIC-IP Trying MODEM-PUBLIC-IP... Connected to MODEM-PUBLIC-IP. Escape character is '^]'. F600W Login: admin Password: Password is incorrect Password: Password is incorrect Password: Password is incorrect Reached the maximum number of login, Admin authority locked 3 mins. Connection closed by foreign host.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
telnet MODEM-PUBLIC-IP
Trying MODEM-PUBLIC-IP...
Connected to MODEM-PUBLIC-IP.
Escape character is '^]'.
F600W
Login: admin
Password:
Password is incorrect
Password:
Password is incorrect
Password:
Password is incorrect
Reached the maximum number of login, Admin authority locked 3 mins.
Connection closed by foreign host.
No, because I don't know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!
telnet MODEM-PUBLIC-IP Trying MODEM-PUBLIC-IP... Connected to MODEM-PUBLIC-IP. Escape character is '^]'. F600W Login: root Password: BusyBox v1.01 (2015.01.15-08:36+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. / #
1
2
3
4
5
6
7
8
9
10
11
12
telnet MODEM-PUBLIC-IP
Trying MODEM-PUBLIC-IP...
Connected to MODEM-PUBLIC-IP.
Escape character is '^]'.
F600W
Login: root
Password:
BusyBox v1.01 (2015.01.15-08:36+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ #
That's huge as it means millions of modem routers can be access (likely) around the world with minimal knowledge, I would not even consider this a hack…. Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username / password. This little trick should also works on other ZTE modems/routers, and since the HTTP server is also running by default, you don't even need to check the model number as the server field indicates it's a ZTE device…
curl -I MODEM-PUBLIC-IP HTTP/1.1 200 OK Server: Mini web server 1.0 ZTE corp 2005. Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Cache-Control: no-cache,no-store Content-Length: 5277
curl -I MODEM-PUBLIC-IP
HTTP/1.1 200 OK
Server: Mini web server 1.0 ZTE corp 2005.
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Cache-Control: no-cache,no-store
Content-Length: 5277
I don't know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:
# mount ubi:rootfs_ubifs on / type ubifs (ro,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) /dev/mtdblock7 on /data type jffs2 (rw,relatime) /dev/mtdblock4 on /tagparam type jffs2 (rw,relatime) tmpfs on /var type tmpfs (rw,relatime,size=15360k) /dev/mtdblock5 on /userconfig type jffs2 (rw,relatime) none on /mnt type ramfs (rw,noatime,nodiratime)
# mount
ubi:rootfs_ubifs on / type ubifs (ro,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
/dev/mtdblock7 on /data type jffs2 (rw,relatime)
/dev/mtdblock4 on /tagparam type jffs2 (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=15360k)
/dev/mtdblock5 on /userconfig type jffs2 (rw,relatime)
none on /mnt type ramfs (rw,noatime,nodiratime)
Normally, this is no problem as you can remount the root partition in read/write mode:
# mount -o remount,rw / Can't find / in /etc/fstab
# mount -o remount,rw /
Can't find / in /etc/fstab
But it's not working in this case… I'm not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:
busyboxBusyBox v1.01 (2015.01.15-08:36+0000) multi-call binary
Currently defined functions:[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,tftp, top, traceroute, umount, wget
A temporary solution is to kill telnet:
ps ax | grep telnet 826 root 692 S <0> telnetd 828 root 692 S <0> telnetd 829 root 692 S <0> telnetd 830 root 692 S <0> telnetd 831 root 692 S <0> telnetd 832 root 692 S <0> telnetd 833 root 692 S <0> telnetd 1068 root 472 R <0> grep telnet kill 826
ps ax | grep telnet
826 root 692 S <0> telnetd
828 root 692 S <0> telnetd
829 root 692 S <0> telnetd
830 root 692 S <0> telnetd
831 root 692 S <0> telnetd
832 root 692 S <0> telnetd
833 root 692 S <0> telnetd
1068 root 472 R <0> grep telnet
kill 826
But obviously telnet will run again, at next boot time…
Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they'll be able to change the password, or disable them remotely in due time…
Source: Routers, IP Cameras/Phones & IoT Devices can be Security Risks even with the Latest Firmware, and a Strong Admin Password
No comments:
Post a Comment