Close

Pwning Telstra’s ZTE MF91 Pre-paid 4G modem

February 21, 2015

Apparently, the average person in Australia carries 2.6 devices. For me, the 0.6 is my Telstra Pre-Paid 4G WiFi modem. All the main Aussie telcos have offerings in this space (Telstra/Optus/Vodafone/Virgin Mobile), and the devices provided usually are Huawei, ZTE or Sierra Wireless wifi modems.

Several months ago, I decided to give my MF91 a shakedown in the security space – and a bunch of bugs bubbled to the surface fairly quickly.

PoC

I wrote a basic script (zteeek) that exploits some of the vulnerabilities described below - it’s available here (I’m not a coder, you’ve been warned, and so on). And here’s a video:

MF91 vulnerabilities

The fact that you already need to be connected to the wireless network to exploit makes these far less sexy, nevertheless it’s a good example of the kind of vulns that are common in embedded systems. Either a WPS attack or a plain old brute force wireless run against the MF91 would be your best way on to its wireless network – then you can have fun with zteeek. Here’s a quick description of the vulnerability/exploit pairs:

Unauthenticated cookie value disclosure
The core cookie value for authenticated sessions, MF91_Telstra_luck_num can be retrieved via an unauthenticated GET request, after which an attacker can create their own valid admin session cookie to bypass authentication.
http://<deviceip>/goform/pwd_cmd?cmd=lucky_num

Unauthenticated SSID modification
The wireless SSID can be changed by tampering with the ssid parameter without authentication.
http://<deviceip>/goform/wlan_set_basic_sap_profile?ssid=new_SSID

Unauthenticated disabling of AP isolation mode
Access point isolation mode can be disabled without authentication, exposing isolated clients.
http://<deviceip>/goform/wlan_set_basic_sap_profile?=DISABLE

Unauthenticated denial of service (force client disconnect)
A denial of service attack causing the forced disconnection of all clients is possible via a GET request to dhcp_list_cmd without authentication.
http://<deviceip>/goform/dhcp_list_cmd?cmd=set&&mac_addr=

Unauthenticated administrator password change
The administrator password for the ZTE MF91 can be change via a GET request to upd_pwd without authentication.
http://<deviceip>/goform/upd_pwd?password=<new password>

Thank you CrikeyCon!

I was kindly invited to talk about the process around my dealings with the ZTE MF91 at CrikeyCon 2015 in Brisbane, which was a lot of fun. Many thanks to the CrikeyCon staff for entertaining a bunch of Aussie hackers on a very wet day in Brisbane, and thanks also to the fabulous and receptive people in attendance.