I managed to enabled Telnet in Airtel AOT 4221SR! Breakthrough [ROOT ACCESS OF THE ROUTER].
This is a continuation of my previous post that was posted in this subreddit *THE PREVIOUS POST*
This post is also posted on https://www.reddit.com/r/fuckairtel/s/WhML1jDkjS
This is to tell everyone that I managed to get into the TR-069 + TR-064 via ACL and enabled Telnet on my router which I got as a replacement earlier because I wanted a router which enables me to access the USB storage.
A little recap, I had a router "Dasan H660GM-A ONT" now this router was heavily locked down as you'd expect and I made a script to unlock the frontend but I had no luck enabling the real USB storage, telnet and ssh daemon. Later after the previous post I managed to get a AOT 4221SR which is from Sercomm. Now this had a USB storage/ftp enabled but somehow it was saving the files are etc/var/ I remember if I am correct but not the actual pendrive storage I attached in the back of the router. Now things were locked down and were not working as I expected so I did some work...
So, I am disclosing what I had discovered till yesterday:
- Full UI restriction bypass
- Authenticated API control
- Credential recovery
- Firewall policy manipulation
- Live interception of the device's TR-069 management session
- A protocol-correct understanding of how the router currently behaves in production
Note: I reported this to Airtel Bug reports and they didn't reply so here I am.
Now you might ask, how? Let's save that for later.
Back to tonight as I am writing this post, I managed to write a python script that basically does this:
Full chain: TR-064 ACS repoint → rogue ACS → param dump + Download RPC.
Then I wrote a single line python script as a payload that gave me whole access of telnet.
Proof:
| Finding | Evidence |
|---|---|
| Root shell | UID 0, squashfs root on mtdblock6 |
| Kernel | Linux 3.18.21 (2015 Buildroot — ancient, full of CVEs) |
| PPPoE creds in process list | CAN'T LEAK THIS LMAOOO |
| MQTT cloud backdoor | mosquitto_sub connecting to broadband-mqtt.airtel.com:8883 |
| Writable partitions | /usr/config (jffs2), /usr/local/data (ubifs), /tmp (ramfs) |
| Hardcoded telnet creds | telecomadmin / 1234 — UID 0 root |
| TR-069 client | /userfs/bin/tr69 (PID 2297) |
This is a CVSS 9.8+ finding. Unauthenticated LAN-side remote code execution to root.
If this post gets enough attension then I might post the whole directory of my work for you guys to explore. I am not posting any scripts/payload commands for now.
I earlier used to think that this router's telnet/ssh and other things are stripped down from the actual repackaged firmware but I proved myself wrong and here we go.
If any airtel people is seeing this then you should know that every fucking system is vulnerable, I have dozens of more thing to say here. TR-069 rogue was easy and TR_064 was kinda messy but at the end a system is a system and every system has a backdoor, no matter how hard you make for us consumers to not use basic features, people like me will always fuck you up.
This is not a joke, this is a serious vulnerability. I reported to you guys, you didn't reply.
ONLY IF I WAS GIVEN THE ACCESS OF ONE SINGLE USB STORAGE THING THEN THIS DAY WOULDN'T HAVE COME.
What did the guy said me to on call "EVEN WE DON'T HAVE THE PERMISSION TO ENABLE USB STORAGE AND TELNET FROM OUR SIDE", yeah sure, I just saw.