u/Shitijhalder

▲ 1 r/Airtel

I managed to enabled Telnet in Airtel AOT 4221SR! Breakthrough [ROOT ACCESS OF THE ROUTER].

This is a continuation of my previous post that was posted in this subreddit *THE PREVIOUS POST*

This post is also posted on https://www.reddit.com/r/fuckairtel/s/WhML1jDkjS

This is to tell everyone that I managed to get into the TR-069 + TR-064 via ACL and enabled Telnet on my router which I got as a replacement earlier because I wanted a router which enables me to access the USB storage.

A little recap, I had a router "Dasan H660GM-A ONT" now this router was heavily locked down as you'd expect and I made a script to unlock the frontend but I had no luck enabling the real USB storage, telnet and ssh daemon. Later after the previous post I managed to get a AOT 4221SR which is from Sercomm. Now this had a USB storage/ftp enabled but somehow it was saving the files are etc/var/ I remember if I am correct but not the actual pendrive storage I attached in the back of the router. Now things were locked down and were not working as I expected so I did some work...

So, I am disclosing what I had discovered till yesterday:
  - Full UI restriction bypass
  - Authenticated API control
  - Credential recovery
  - Firewall policy manipulation
  - Live interception of the device's TR-069 management session
  - A protocol-correct understanding of how the router currently behaves in production

Note: I reported this to Airtel Bug reports and they didn't reply so here I am.

Now you might ask, how? Let's save that for later.

Back to tonight as I am writing this post, I managed to write a python script that basically does this:

Full chain: TR-064 ACS repoint → rogue ACS → param dump + Download RPC.

Then I wrote a single line python script as a payload that gave me whole access of telnet.

Proof:

https://preview.redd.it/tboqbsgbp2bh1.png?width=680&format=png&auto=webp&s=0fe732208e94858945d50b504f67933e88b82945

Finding Evidence
Root shell UID 0, squashfs root on mtdblock6
Kernel Linux 3.18.21 (2015 Buildroot — ancient, full of CVEs)
PPPoE creds in process list CAN'T LEAK THIS LMAOOO
MQTT cloud backdoor mosquitto_sub connecting to broadband-mqtt.airtel.com:8883
Writable partitions /usr/config (jffs2), /usr/local/data (ubifs), /tmp (ramfs)
Hardcoded telnet creds telecomadmin / 1234 — UID 0 root
TR-069 client /userfs/bin/tr69 (PID 2297)

This is a CVSS 9.8+ finding. Unauthenticated LAN-side remote code execution to root. 

If this post gets enough attension then I might post the whole directory of my work for you guys to explore. I am not posting any scripts/payload commands for now.

I earlier used to think that this router's telnet/ssh and other things are stripped down from the actual repackaged firmware but I proved myself wrong and here we go.

If any airtel people is seeing this then you should know that every fucking system is vulnerable, I have dozens of more thing to say here. TR-069 rogue was easy and TR_064 was kinda messy but at the end a system is a system and every system has a backdoor, no matter how hard you make for us consumers to not use basic features, people like me will always fuck you up.

This is not a joke, this is a serious vulnerability. I reported to you guys, you didn't reply.

ONLY IF I WAS GIVEN THE ACCESS OF ONE SINGLE USB STORAGE THING THEN THIS DAY WOULDN'T HAVE COME.

What did the guy said me to on call "EVEN WE DON'T HAVE THE PERMISSION TO ENABLE USB STORAGE AND TELNET FROM OUR SIDE", yeah sure, I just saw.

reddit.com
u/Shitijhalder — 2 days ago

I managed to enabled Telnet in Airtel AOT 4221SR! Breakthrough [ROOT ACCESS OF THE ROUTER].

This is a continuation of my previous post that was posted in this subreddit *THE PREVIOUS POST*

This is to tell everyone that I managed to get into the TR-069 + TR-064 via ACL and enabled Telnet on my router which I got as a replacement earlier because I wanted a router which enables me to access the USB storage.

A little recap, I had a router "Dasan H660GM-A ONT" now this router was heavily locked down as you'd expect and I made a script to unlock the frontend but I had no luck enabling the real USB storage, telnet and ssh daemon. Later after the previous post I managed to get a AOT 4221SR which is from Sercomm. Now this had a USB storage/ftp enabled but somehow it was saving the files are etc/var/ I remember if I am correct but not the actual pendrive storage I attached in the back of the router. Now things were locked down and were not working as I expected so I did some work...

So, I am disclosing what I had discovered till yesterday:
  - Full UI restriction bypass
  - Authenticated API control
  - Credential recovery
  - Firewall policy manipulation
  - Live interception of the device's TR-069 management session
  - A protocol-correct understanding of how the router currently behaves in production

Note: I reported this to Airtel Bug reports and they didn't reply so here I am.

Now you might ask, how? Let's save that for later.

Back to tonight as I am writing this post, I managed to write a python script that basically does this:

Full chain: TR-064 ACS repoint → rogue ACS → param dump + Download RPC.

Then I wrote a single line python script as a payload that gave me whole access of telnet.

Proof:

https://preview.redd.it/tboqbsgbp2bh1.png?width=680&format=png&auto=webp&s=0fe732208e94858945d50b504f67933e88b82945

Finding Evidence
Root shell UID 0, squashfs root on mtdblock6
Kernel Linux 3.18.21 (2015 Buildroot — ancient, full of CVEs)
PPPoE creds in process list CAN'T LEAK THIS LMAOOO
MQTT cloud backdoor mosquitto_sub connecting to broadband-mqtt.airtel.com:8883
Writable partitions /usr/config (jffs2), /usr/local/data (ubifs), /tmp (ramfs)
Hardcoded telnet creds telecomadmin / 1234 — UID 0 root
TR-069 client /userfs/bin/tr69 (PID 2297)

This is a CVSS 9.8+ finding. Unauthenticated LAN-side remote code execution to root. 

If this post gets enough attension then I might post the whole directory of my work for you guys to explore. I am not posting any scripts/payload commands for now.

I earlier used to think that this router's telnet/ssh and other things are stripped down from the actual repackaged firmware but I proved myself wrong and here we go.

If any airtel people is seeing this then you should know that every fucking system is vulnerable, I have dozens of more thing to say here. TR-069 rogue was easy and TR_064 was kinda messy but at the end a system is a system and every system has a backdoor, no matter how hard you make for us consumers to not use basic features, people like me will always fuck you up.

This is not a joke, this is a serious vulnerability. I reported to you guys, you didn't reply.

ONLY IF I WAS GIVEN THE ACCESS OF ONE SINGLE USB STORAGE THING THEN THIS DAY WOULDN'T HAVE COME.

What did the guy said me to on call "EVEN WE DON'T HAVE THE PERMISSION TO ENABLE USB STORAGE AND TELNET FROM OUR SIDE", you little bitch! Fuck you Airtel.

reddit.com
u/Shitijhalder — 2 days ago

Does anyone have the 3d model for Nothing Phone 3a? I need it with the exact dimensions for a project of mine... If not the 3d model but at least the exact dimensions of each area, relative to other area, example from the camera island to the bottom of the phone...

reddit.com
u/Shitijhalder — 10 days ago

Spent 3 days reverse engineering my Airtel fiber router, only for the solution to be "get a different router"

I have an Airtel fiber connection with a Dasan H660GM-A ONT. The UI looked pretty modern, but I kept noticing references to features that weren't actually accessible.

I wanted only one thing, FTP and USB Media access via the USB port on the back of the router.

One thing led to another and I ended up digging through the Vue frontend, dumping the route table, extracting the permission matrix, and mapping hidden pages.

Turns out the firmware had a ton of hidden stuff:

  • ACL
  • Backup & Restore
  • Firmware Upgrade
  • TFTP
  • Auto Provision
  • WiFi Mesh
  • Change Customer ID
  • Various diagnostics pages

The funny part is that the frontend permissions were controlled by a giant object using:

H = Hidden
R = Read
RW = Read/Write

So I wrote a script that recursively changed every H and R to RW and continuously reapplied it. That basically unlocked the entire frontend UI and exposed all the hidden pages.

Here's the script though, lemme know if you can break in further: https://pastebin.com/LK8x3DqG

How to use this script? Login into 192.168.1.1 while being connected to your wifi and then open dev tools and open console and paste the whole script and reload the page, voila.

For a moment I thought I'd won.

Then the backend started returning 401s. 😅

That's when I realized Airtel's engineers had actually done a decent job. The frontend permissions were easy to manipulate, but the backend had its own authorization layer.

Eventually I contacted Airtel. After a bunch of calls and discussions I realised that the engineers don't even know that USB can be used for Media Storage with FTP or Telnet. They don't know anything at all, later called the highest officer on the field engineer's phone and that guy told me that due to security reasons USB permissions can't be given, like what bro? You think I am trying to break into Airtel's root? I argued that I being an advanced user blah blah, no luck. Later I told the field engineer about different vendor routers and ended up offering a router replacement instead.

The replacement? A Sercomm router with a UI that looks straight out of 2010... but it has USB Storage, FTP Server, DLNA, DDNS, VoIP settings, and a bunch of advanced options exposed by default. I told him that Servercomm and Nokia are all unlocked straight out of the box so here we go, problem solved. New box and yes everything is free, but one thing to note, it depends on the stock of the warehouse, if the warehouse doesn't have Servercomm or Nokia then no luck. Also the specifc model number ffor the servercomm model if you want all the options to be unlocked is "AOT-4221SR", specifically tell this to them if you're trying to change. Also, this specific model is very advanced due to it's build, it's for 1GB plan users so it's powerful than any other vendor present in India, note: Airtel has ~8 vendors that they ship their airtel router box from and Servercomm and Nokia are peak devices. While my current Dasan is completely locked down (That Bhaiya told me this peak thing).

So after three days of reverse engineering, the final solution was basically:

"Bhaiya knows a guy and got me a different router."

Still worth it though. Learned a lot about Vue apps, permission systems, router firmware, and the peak hypocrisy of Airtel.

Unlocked Frontend

More options

reddit.com
u/Shitijhalder — 1 month ago