til icon indicating copy to clipboard operation
til copied to clipboard

Published 20 hours ago verified publisher icon anitsh

Security Analysis of Nokia G-120W-F

Open anitsh opened this issue 5 years ago • 25 comments

Objectives

  • [ ] Remove users
  • [ ] Change the default password for CLI access
  • [ ] Find other vulnerabilities

Later TODO Upgrade Firmware

  • [ ] Find and install appropriate OS from https://openwrt.org

Device Infromation: Device Name G-120W-F Vendor Nokia Serial Number ALCLFA5733B8 Hardware Version 3FE46921BAAA Boot Version U-Boot Dec-31-2016--12:00:00 Software Version 3FE46606DFHB46 Chipset MTK7526FD OS Zebra, vty shell

How the issue come to be? Issue

Resources:

  • [ ] https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html
  • [ ] https://medium.com/tenable-techblog/gpon-home-gateway-rce-threatens-tens-of-thousands-users-c4a17fd25b97
  • [ ] https://www.websec.ca/publication/Blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q
  • [ ] https://documentation.nokia.com/cgi-bin/dbaccessfilename.cgi/3HE11598AAAATQZZA01_V1_Advanced%20Configuration%20Guide%20for%207450%20ESS%207750%20SR%20and%207950%20XRS%20for%20Releases%20up%20to%2014.0.R5%20-%20Part%20I.pdf

Tools:

  • https://www.shodan.io Search engine for Internet-connected devices

anitsh avatar May 17 '20 05:05 anitsh

Could not access shell. The default and web passwords does not allow shell access. There are not much information from web search.

After login with AdminGPON, the user user does not have previledges to update users.

Findings https://linux.die.net/man/8/zebra http://www.nongnu.org/quagga http://www.nongnu.org/quagga/docs/quagga.html#Config-Commands https://linoxide.com/ubuntu-how-to/configure-quagga-routing-suite-linux https://usermanual.wiki/Nokia-Bell/G120WF/html https://opensource.com/article/20/5/vty-shell http://www.pacs.agh.edu.pl/wfitj/complab/doc/Quagga/VTY-shell.html https://opensource.com/article/20/4/quagga-linux

Quagga daemons are each configurable via a network accessible CLI (called a 'vty'). The CLI follows a style similar to that of other routing software.

anitsh avatar May 23 '20 13:05 anitsh

image

anitsh avatar May 26 '20 07:05 anitsh

Hello, how are you. I have one of the same model. you managed to access the shell

espetoet avatar Jun 08 '20 00:06 espetoet

@espetoet, If you are talking about 'user>shell', then I am still not able to access it.

I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

anitsh avatar Jul 16 '20 04:07 anitsh

Yesterday's note:

  • https://medium.com/@huszty/reverse-engineering-my-fiber-to-the-home-gpon-device-83527ceeddde
  • https://securityaffairs.co/wordpress/71987/hacking/gpon-home-routers-hack.html

Some research on Shell

  • https://linux.die.net/man/8/zebra, http://skaya.enix.org/vpn/zebra.html, http://isp.vsi.ru/library/Other/Zebra/basic.html, https://frrouting.readthedocs.io/en/latest/zebra.html, https://frrouting.readthedocs.io/en/latest/zebra.html, https://www.nongnu.org/quagga/docs/quagga.html#zebra-Terminal-Mode-Commands, http://isp.vsi.ru/library/Other/Zebra/basic.html, http://docs.frrouting.org/en/latest/vtysh.html

  • https://github.com/f3d0x0/GPON,

  • https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide

There was issue with ether net, resolved with https://askubuntu.com/questions/394217/my-eth0-has-gone-and-i-dont-have-internet-and-network-connection 1 - sudo service network-manager stop 2 - sudo ifconfig enp4s8 up to bring up the interface 3 - Then, force Ubuntu to ask for a new DHCP lease by sudo dhclient enp4s8 4 - Manually did sudo service network-manager start *This is when i got the connection to the network. There was issue after disconnecting the cable with internet connection again, resolved it with sudo dhclient enp4s8

anitsh avatar Jul 16 '20 05:07 anitsh

Hello again. by chance you have the modem firmware. factory firmware

espetoet avatar Jul 17 '20 18:07 espetoet

Hello @codeanit , you can access the full shell with Telnet or SSH. Export the config file of the router and modify it's content and set LimitAccount_ONTUSER to false. Upload the modified config file back to the router and use the credentials ONTUSER:SUGAR2A041 to login into SSH or Telnet with full root permission. Follow this guide to decode the config file https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html

Don't forget to read the comments from here : https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Info about the credentials : https://www.tenable.com/security/research/tra-2019-09

833M0L3 avatar Aug 12 '20 18:08 833M0L3

Hello @codeanit , you can access the full shell with Telnet or SSH. Export the config file of the router and modify it's content and set LimitAccount_ONTUSER to false. Upload the modified config file back to the router and use the credentials ONTUSER:SUGAR2A041 to login into SSH or Telnet with full root permission. Follow this guide to decode the config file https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html

Don't forget to read the comments from here : https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Info about the credentials : https://www.tenable.com/security/research/tra-2019-09

After login with AdminGPON, the user user does not have previledges to update users.

QiiioW avatar Dec 04 '20 07:12 QiiioW

where to buy Onu Nokia Model G 120w F online

tarekkabalan avatar Feb 01 '21 11:02 tarekkabalan

@espetoet, If you are talking about 'user>shell', then I am still not able to access it.

I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

The Password2 prompt after user>shell is vulnerable to command injection. Inputting '; /bin/sh; # would pop a root shell

Tested on: Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

gr455 avatar Oct 20 '21 17:10 gr455

When connecting via telnet login with below cred username:ONTUSER Password:SUGAR2A041

It gives root access directly without going to shell image

Source:

  1. above discussion https://github.com/codeanit/til/issues/99#issuecomment-673031084
  2. https://www.websec.ca/publication/Blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q

neelabhraman avatar Jan 14 '22 21:01 neelabhraman

Question:

What to do after gaining root access ?? I was hoping to flash a new firmware in the NOKIA router hardware so that it can be used as a repeater (given that it doesn't have internet LAN INPUT hence cannot be used with other ISP's as a router)

neelabhraman avatar Jan 14 '22 21:01 neelabhraman

Question:

What to do after gaining root access ?? I was hoping to flash a new firmware in the NOKIA router hardware so that it can be used as a repeater (given that it doesn't have internet LAN INPUT hence cannot be used with other ISP's as a router)

You can execute scfgtool set OperatorID MXXV to unlock many webUI elements including pppoe credentials. scfgtool is present in /usr/exe

Kalyan-M avatar Jan 26 '22 21:01 Kalyan-M

just discovered this issue.. the command injection isn't working after a new update ( also I didn't knew this issue was public) Software Version: 3FE49362IJHK46 fixes the command injection.. I'll try messing with the config

Albonycal avatar May 03 '22 17:05 Albonycal

@espetoet, If you are talking about 'user>shell', then I am still not able to access it. I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

The Password2 prompt after user>shell is vulnerable to command injection. Inputting '; /bin/sh; # would pop a root shell

Tested on: Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

Hi bro same device I have with same configuration , and backup and restore option not showing , Help me to solve my issue

amitgorai avatar Oct 30 '23 07:10 amitgorai

@amitgorai What's your Hardware Version and Boot version? The current CPEs used by Wlink have been updated with a new system. Every CPE now has a uniquely generated username and pass. And those command injection and ONTUSER backdoor account has already been removed on the latest BOOT version.

833M0L3 avatar Oct 30 '23 07:10 833M0L3

@amitgorai What's your Hardware Version and Boot version? The current CPEs used by Wlink have been updated with a new system. Every CPE now has a uniquely generated username and pass. And those command injection and ONTUSER backdoor account has already been removed on the latest BOOT version.

Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

amitgorai avatar Oct 30 '23 07:10 amitgorai

@amitgorai What's your Hardware Version and Boot version? The current CPEs used by Wlink have been updated with a new system. Every CPE now has a uniquely generated username and pass. And those command injection and ONTUSER backdoor account has already been removed on the latest BOOT version.

Actually I was not using this router from last one year ,, I tried to use it on my existing wifi connection yesterday then I got to know ... It's fully locked...

amitgorai avatar Oct 30 '23 07:10 amitgorai

@espetoet, If you are talking about 'user>shell', then I am still not able to access it.

I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

The Password2 prompt after user>shell is vulnerable to command injection. Inputting '; /bin/sh; # would pop a root shell

Tested on: Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

Hi @833M0L3 where I can use this password2 ??

amitgorai avatar Oct 30 '23 08:10 amitgorai

@amitgorai what are you trying to achieve? If you want the admin access then try going into http://192.168.1.254/su.html and use

  • Username : wlinkuser
  • Password : 35wl#Login465

This should work if you haven't used your router for a long time since the change started happening recently. That is ofcourse if you are a wlink user. I have no idea about others.

833M0L3 avatar Oct 30 '23 08:10 833M0L3

@amitgorai what are you trying to achieve? If you want the admin access then try going into http://192.168.1.254/su.html and use

  • Username : wlinkuser
  • Password : 35wl#Login465

This should work if you haven't used your router for a long time since the change started happening recently. That is ofcourse if you are a wlink user. I have no idea about others.

Hi @833M0L3 Yes I want su access of my Device Name: Nokia G-2425G-A And yes I was not using from last one year ... Then yesterday I tried to use with my isp ..then I got to know its fully locked ( backup and restore option also not visible ) , then I Googled and came to this post as I can see @gr455 post the device he had , I have the same, but as he mentioned that if I use his given password in Password2 section I can get root access , so I want to know where I can use this password...

amitgorai avatar Oct 30 '23 08:10 amitgorai

@amitgorai If you meant the telnet access , you can do that from windows terminal or using PUTTy. On the terminal enter telnet 192.168.1.254 .

But since you have connected your router to the ISP , I am sure a lot of config has been changed and I am sure telnet/ssh are disabled by default. But give it a try. If you don't know how telnet and ssh works , try googling it.

833M0L3 avatar Oct 30 '23 08:10 833M0L3