Security Analysis of Nokia G-120W-F

[anitsh]

Objectives

• [ ] Remove users
• [ ] Change the default password for CLI access
• [ ] Find other vulnerabilities

Later TODO Upgrade Firmware

• [ ] Find and install appropriate OS from https://openwrt.org

Device Infromation: Device Name G-120W-F Vendor Nokia Serial Number ALCLFA5733B8 Hardware Version 3FE46921BAAA Boot Version U-Boot Dec-31-2016--12:00:00 Software Version 3FE46606DFHB46 Chipset MTK7526FD OS Zebra, vty shell

How the issue come to be? Issue

Resources:

• [ ] https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html
• [ ] https://medium.com/tenable-techblog/gpon-home-gateway-rce-threatens-tens-of-thousands-users-c4a17fd25b97
• [ ] https://www.websec.ca/publication/Blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q
• [ ] https://documentation.nokia.com/cgi-bin/dbaccessfilename.cgi/3HE11598AAAATQZZA01_V1_Advanced%20Configuration%20Guide%20for%207450%20ESS%207750%20SR%20and%207950%20XRS%20for%20Releases%20up%20to%2014.0.R5%20-%20Part%20I.pdf

Tools:

• https://www.shodan.io Search engine for Internet-connected devices

[anitsh]

Could not access shell. The default and web passwords does not allow shell access. There are not much information from web search.

After login with AdminGPON, the user user does not have previledges to update users.

Findings https://linux.die.net/man/8/zebra http://www.nongnu.org/quagga http://www.nongnu.org/quagga/docs/quagga.html#Config-Commands https://linoxide.com/ubuntu-how-to/configure-quagga-routing-suite-linux https://usermanual.wiki/Nokia-Bell/G120WF/html https://opensource.com/article/20/5/vty-shell http://www.pacs.agh.edu.pl/wfitj/complab/doc/Quagga/VTY-shell.html https://opensource.com/article/20/4/quagga-linux

Quagga daemons are each configurable via a network accessible CLI (called a 'vty'). The CLI follows a style similar to that of other routing software.

[anitsh]

[espetoet]

Hello, how are you. I have one of the same model. you managed to access the shell

[anitsh]

@espetoet, If you are talking about 'user>shell', then I am still not able to access it.

I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

[anitsh]

Yesterday's note:

• https://medium.com/@huszty/reverse-engineering-my-fiber-to-the-home-gpon-device-83527ceeddde
• https://securityaffairs.co/wordpress/71987/hacking/gpon-home-routers-hack.html

Some research on Shell

• https://linux.die.net/man/8/zebra, http://skaya.enix.org/vpn/zebra.html, http://isp.vsi.ru/library/Other/Zebra/basic.html, https://frrouting.readthedocs.io/en/latest/zebra.html, https://frrouting.readthedocs.io/en/latest/zebra.html, https://www.nongnu.org/quagga/docs/quagga.html#zebra-Terminal-Mode-Commands, http://isp.vsi.ru/library/Other/Zebra/basic.html, http://docs.frrouting.org/en/latest/vtysh.html

• https://github.com/f3d0x0/GPON,

• https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide

There was issue with ether net, resolved with https://askubuntu.com/questions/394217/my-eth0-has-gone-and-i-dont-have-internet-and-network-connection 1 - sudo service network-manager stop 2 - sudo ifconfig enp4s8 up to bring up the interface 3 - Then, force Ubuntu to ask for a new DHCP lease by sudo dhclient enp4s8 4 - Manually did sudo service network-manager start *This is when i got the connection to the network. There was issue after disconnecting the cable with internet connection again, resolved it with sudo dhclient enp4s8

[espetoet]

Hello again. by chance you have the modem firmware. factory firmware

[833M0L3]

Hello @codeanit , you can access the full shell with Telnet or SSH. Export the config file of the router and modify it's content and set LimitAccount_ONTUSER to false. Upload the modified config file back to the router and use the credentials ONTUSER:SUGAR2A041 to login into SSH or Telnet with full root permission. Follow this guide to decode the config file https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html

Don't forget to read the comments from here : https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Info about the credentials : https://www.tenable.com/security/research/tra-2019-09

[QiiioW]

Hello @codeanit , you can access the full shell with Telnet or SSH. Export the config file of the router and modify it's content and set LimitAccount_ONTUSER to false. Upload the modified config file back to the router and use the credentials ONTUSER:SUGAR2A041 to login into SSH or Telnet with full root permission. Follow this guide to decode the config file https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html

Don't forget to read the comments from here : https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a

Info about the credentials : https://www.tenable.com/security/research/tra-2019-09

After login with AdminGPON, the user user does not have previledges to update users.

[tarekkabalan]

where to buy Onu Nokia Model G 120w F online

[gr455]

@espetoet, If you are talking about 'user>shell', then I am still not able to access it.

I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

The Password2 prompt after user>shell is vulnerable to command injection. Inputting '; /bin/sh; # would pop a root shell

Tested on: Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

[neelabhraman]

When connecting via telnet login with below cred username:ONTUSER Password:SUGAR2A041

It gives root access directly without going to shell

Source:

1. above discussion https://github.com/codeanit/til/issues/99#issuecomment-673031084
2. https://www.websec.ca/publication/Blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q

[neelabhraman]

Question:

What to do after gaining root access ?? I was hoping to flash a new firmware in the NOKIA router hardware so that it can be used as a repeater (given that it doesn't have internet LAN INPUT hence cannot be used with other ISP's as a router)

[Kalyan-M]

Question:

What to do after gaining root access ?? I was hoping to flash a new firmware in the NOKIA router hardware so that it can be used as a repeater (given that it doesn't have internet LAN INPUT hence cannot be used with other ISP's as a router)

You can execute scfgtool set OperatorID MXXV to unlock many webUI elements including pppoe credentials. scfgtool is present in /usr/exe

[Albonycal]

just discovered this issue.. the command injection isn't working after a new update ( also I didn't knew this issue was public) Software Version: 3FE49362IJHK46 fixes the command injection.. I'll try messing with the config

[amitgorai]

@espetoet, If you are talking about 'user>shell', then I am still not able to access it. I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

The Password2 prompt after user>shell is vulnerable to command injection. Inputting '; /bin/sh; # would pop a root shell

Tested on: Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

Hi bro same device I have with same configuration , and backup and restore option not showing , Help me to solve my issue

[833M0L3]

@amitgorai What's your Hardware Version and Boot version? The current CPEs used by Wlink have been updated with a new system. Every CPE now has a uniquely generated username and pass. And those command injection and ONTUSER backdoor account has already been removed on the latest BOOT version.

[amitgorai]

@amitgorai What's your Hardware Version and Boot version? The current CPEs used by Wlink have been updated with a new system. Every CPE now has a uniquely generated username and pass. And those command injection and ONTUSER backdoor account has already been removed on the latest BOOT version.

Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

[amitgorai]

@amitgorai What's your Hardware Version and Boot version? The current CPEs used by Wlink have been updated with a new system. Every CPE now has a uniquely generated username and pass. And those command injection and ONTUSER backdoor account has already been removed on the latest BOOT version.

Actually I was not using this router from last one year ,, I tried to use it on my existing wifi connection yesterday then I got to know ... It's fully locked...

[amitgorai]

@espetoet, If you are talking about 'user>shell', then I am still not able to access it.

I was working on it yesterday but could not find anything. Neither a way to upgrade the router's firmware. If you have found any resources. Kindly, please do share. Thank you.

The Password2 prompt after user>shell is vulnerable to command injection. Inputting '; /bin/sh; # would pop a root shell

Tested on: Device Name: G-2425G-A Vendor: Nokia Hardware Version: 3FE48299DDAA Boot Version: U-Boot Dec-31-2016--12:00:00 Software Version: 3FE49362IJHK29 Chipset: MTK7528

Hi @833M0L3 where I can use this password2 ??

[833M0L3]

@amitgorai what are you trying to achieve? If you want the admin access then try going into http://192.168.1.254/su.html and use

• Username : wlinkuser
• Password : 35wl#Login465

This should work if you haven't used your router for a long time since the change started happening recently. That is ofcourse if you are a wlink user. I have no idea about others.

[amitgorai]

@amitgorai what are you trying to achieve? If you want the admin access then try going into http://192.168.1.254/su.html and use

• Username : wlinkuser
• Password : 35wl#Login465

This should work if you haven't used your router for a long time since the change started happening recently. That is ofcourse if you are a wlink user. I have no idea about others.

Hi @833M0L3 Yes I want su access of my Device Name: Nokia G-2425G-A And yes I was not using from last one year ... Then yesterday I tried to use with my isp ..then I got to know its fully locked ( backup and restore option also not visible ) , then I Googled and came to this post as I can see @gr455 post the device he had , I have the same, but as he mentioned that if I use his given password in Password2 section I can get root access , so I want to know where I can use this password...

[833M0L3]

@amitgorai If you meant the telnet access , you can do that from windows terminal or using PUTTy. On the terminal enter telnet 192.168.1.254 .

But since you have connected your router to the ISP , I am sure a lot of config has been changed and I am sure telnet/ssh are disabled by default. But give it a try. If you don't know how telnet and ssh works , try googling it.

[daley1323]

Did you progress

[parthnagdev]

just discovered this issue.. the command injection isn't working after a new update ( also I didn't knew this issue was public) Software Version: 3FE49362IJHK46 fixes the command injection.. I'll try messing with the config

@Albonycal How did you update the firmware? Do you have the link to website where the update firmware is available?