Researchers found allegedly intentional backdoors in FTTH devices from Chinese vendor C-Data

Pierluigi Paganini July 10, 2020

Two security researchers have found undocumented Telnet admin account accounts in 29 FTTH devices from Chinese vendor C-Data.

Two security researchers have discovered undocumented Telnet admin account accounts in 29 Fiber-To-The-Home (FTTH) devices from Chinese vendor C-Data.

The CDATA OLTs are sold under different brands, including Cdata, OptiLink, V-SOL CN, and BLIY. Some of the devices support multiple 10-gigabit uplinks and provide Internet connectivity to up to 1024 ONTs (clients).

CDATA FTTH FD1104B

Below the list of vulnerable C-Data FTTH OLT devices :

  • 72408A
  • 9008A
  • 9016A
  • 92408A
  • 92416A
  • 9288
  • 97016
  • 97024P
  • 97028P
  • 97042P
  • 97084P
  • 97168P
  • FD1002S
  • FD1104
  • FD1104B
  • FD1104S
  • FD1104SN
  • FD1108S
  • FD1108SN
  • FD1204S-R2
  • FD1204SN
  • FD1204SN-R2
  • FD1208S-R2
  • FD1216S-R1
  • FD1608GS
  • FD1608SN
  • FD1616GS
  • FD1616SN
  • FD8000

The backdoor accounts in the firmware of 29 FTTH Optical Line Termination (OLT) devices from popular vendor C-Data. They could allow users access to a secret Telnet admin account running on the devices’ external WAN interface granting them full administrator CLI access.

According to the experts the backdoor accounts were intentionally introduced.

FTTH Optical Line Termination (OLT) devices serve as the service provider endpoint of a passive optical network, they are located all over an ISP’s network.

The security duo, composed of Pierre Kim and Alexandre Torres, disclosed seven vulnerabilities in the firmware of FTTH OLT devices manufactured by C-Data.

The experts confirmed the presence of the security issues in the latest firmware running on two devices they have analyzed (FD1104B and FD1108SN OLTs), but they speculate the vulnerabilities could impact 27 other FTTH OLT models.

The most severe issue is the presence of Telnet backdoor accounts hardcoded in the firmware.

“A telnet server is running in the appliance and is reachable from the WAN interface and from the FTTH LAN interface (from the ONTs).” reads the analysis published by the experts.

“Depending on the firmware, the backdoor credentials may change. You can find below a complete list of backdoor (undocumented) credentials, giving an attacker a complete administrator CLI access.”

The two researchers discovered the following backdoor accounts in the devices they have analyzed:

suma123/panger123
debug/debug124
root/root126
guest/[empty]

The researchers pointed out that the initial backdoor CLI access could be used by attackers to trigger other vulnerabilities, for example, to extract administrator credentials by running a command in the CLI.

Another vulnerability discovered by the experts could allow attackers to execute shell commands with root privileges from any CLI account.

Expets also discovered a DoS issue affecting the Telnet server that could be exploited to reboot any OLT device using this command:

$ for i in $(seq 1 10); do cat /dev/urandom | nc 192.168.1.100 23 | hexdump -C;done

The fifth issue could be exploited to obtain credentials in clear-text.

“A web server is running in the appliance and is reachable from the WAN interface and from the FTTH LAN interface (from the ONTs).” continues the experts.

“Without authentication, an attacker can extract web, telnet credentials and SNMP communities (read and write) by fetching these files”

The remaining two vulnerabilities are related to the use of a weak encryption algorithm and the use of insecure management interfaces.

The duo did not report the issue to the vendor and published their findings because they believe some of the backdoors were intentionally implemented in the firmware of the devices.

C-Data was not immediately available for comment.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FTTH devices)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment