Fiberhome SR1041F backdoor root ssh access

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Networks and Broadband

Bump Topic Add Reply RSS Feed

Outline · [ Standard ] · Linear+

Unifi Fiberhome SR1041F backdoor root ssh access, Don't open port 80 on WAN side

views

TSwhirleyes	Oct 29 2023, 10:54 PM, updated 3y ago Show posts by this member only \| Post #1
New Member Newbie 4 posts Joined: Sep 2005	Fiberhome Router SR1041F RP0105 ssh root backdoor It is possible to login ssh as root user by exploiting remote code execution vulnerability https://gist.github.com/whirleyes/c664c33ff...2c1446f2a97abb9 and backdoor factory access mode in dropbear Pre-authentication remote code execution allows anyone without logged in to send commands to the operating system as the root user. Thus, opening WAN port 80 could be unsafe for your network. This scenario involves a sequence of commands: 1. Enable factory mode 2. Remove root password 3. Restart dropbear (allow no password and use /var/passwd instead of /var/dropbear_passwd) 4. Open firewall SSH root backdoor execution https://gist.github.com/whirleyes/7916c5cd0...5aaceb2f50f837c Done submitting CVE. This post has been edited by whirleyes: Oct 29 2023, 11:31 PM sss2sssss, Moogle Stiltzkin, and 4 others liked this post
Card PM	Report Top Like Quote Reply

SUSnonamer	Oct 30 2023, 02:09 PM Show posts by this member only \| IPv6 \| Post #2
Getting Started Junior Member 224 posts Joined: Apr 2019	since got root access, do u manage to change the radio country code from MY to US ?
Card PM	Report Top Like Quote Reply

Jjuggler	Oct 30 2023, 02:16 PM Show posts by this member only \| Post #3
Narcissistic Genius Senior Member 1,334 posts Joined: Dec 2016	QUOTE(whirleyes @ Oct 29 2023, 10:54 PM) Fiberhome Router SR1041F RP0105 ssh root backdoor It is possible to login ssh as root user by exploiting remote code execution vulnerability https://gist.github.com/whirleyes/c664c33ff...2c1446f2a97abb9 and backdoor factory access mode in dropbear Pre-authentication remote code execution allows anyone without logged in to send commands to the operating system as the root user. Thus, opening WAN port 80 could be unsafe for your network. This scenario involves a sequence of commands: 1. Enable factory mode 2. Remove root password 3. Restart dropbear (allow no password and use /var/passwd instead of /var/dropbear_passwd) 4. Open firewall SSH root backdoor execution https://gist.github.com/whirleyes/7916c5cd0...5aaceb2f50f837c Done submitting CVE. Mate, I just scanned through your github rep and the details presented. Great job there mate. Keep up the good work.
Card PM	Report Top Like Quote Reply

TSwhirleyes	Oct 30 2023, 05:54 PM Show posts by this member only \| Post #4
New Member Newbie 4 posts Joined: Sep 2005	QUOTE(nonamer @ Oct 30 2023, 02:09 PM) since got root access, do u manage to change the radio country code from MY to US ? haven't explore much. but i think you can try check /fhconf/fh_wifi/ directory
Card PM	Report Top Like Quote Reply

TSwhirleyes	Oct 30 2023, 06:04 PM Show posts by this member only \| Post #5
New Member Newbie 4 posts Joined: Sep 2005	QUOTE(Jjuggler @ Oct 30 2023, 02:16 PM) Mate, I just scanned through your github rep and the details presented. Great job there mate. Keep up the good work. Learn so much from this https://techdator.net/fiberhome-devices-has...p-a-new-botnet/ I don't think they will release firmware update anytime soon. Best is to spread awareness, else it could be another Gwmndy botnet victim My intention is just to get root access so I can proceed with building OpenWrt image for this device. or at least can make some tweak to the original firmware.
Card PM	Report Top Like Quote Reply

Jjuggler	Oct 30 2023, 06:09 PM Show posts by this member only \| Post #6
Narcissistic Genius Senior Member 1,334 posts Joined: Dec 2016	QUOTE(whirleyes @ Oct 30 2023, 06:04 PM) Learn so much from this https://techdator.net/fiberhome-devices-has...p-a-new-botnet/ I don't think they will release firmware update anytime soon. Best is to spread awareness, else it could be another Gwmndy botnet victim My intention is just to get root access so I can proceed with building OpenWrt image for this device. or at least can make some tweak to the original firmware. Great share mate. I will read through the article at night.
Card PM	Report Top Like Quote Reply

failed.hashcheck	Oct 30 2023, 07:15 PM Show posts by this member only \| Post #7
Neighborhood plant pathologist Senior Member 2,090 posts Joined: Aug 2009 From: Shithole Klang	Apply to SR1041Y or not? Ironically this gonna be amazing find if it means I could get free reign to ssh to remove that retarded @unifi ssid suffix.
Card PM	Report Top Like Quote Reply

Doraku	Nov 5 2023, 01:42 AM Show posts by this member only \| IPv6 \| Post #8
Old threads digger Senior Member 1,155 posts Joined: Apr 2016	Dumb question but are Fiberhome ACL is Allowlist or blocklist? because my Fbierhome SR1041Y ACL settings is look like this.
Card PM	Report Top Like Quote Reply

PRSXFENG	Nov 5 2023, 11:31 PM Show posts by this member only \| IPv6 \| Post #9
Look at all my stars!! Senior Member 2,607 posts Joined: Nov 2020	QUOTE(Doraku @ Nov 5 2023, 01:42 AM) Dumb question but are Fiberhome ACL is Allowlist or blocklist? because my Fbierhome SR1041Y ACL settings is look like this. Looks like it's allow Seems pretty normal, since they are LAN, which means devices on your network Like HTTP would allowing local devides to access the web configuration UI No idea what deleting it would do Only thing open up to the wide internet is ICMP PING This post has been edited by PRSXFENG: Nov 5 2023, 11:31 PM
Card PM	Report Top Like Quote Reply

dineshmike	Dec 9 2023, 12:19 PM Show posts by this member only \| IPv6 \| Post #10
Casual Junior Member 344 posts Joined: Oct 2006 From: Kulaijaya, Johor	Once logged in via SSH, you can retrieve encrypted configs using the tool cfg_cmd. I found some of the strings below under: /fhrom/preconfimg/FH_AP_MY_TM_Trunk/pre_usrconfig_conf CODE cat /fhrom/preconfimg/FH_AP_MY_TM_Trunk/pre_usrconfig_conf config interface 'InternetGatewayDevice__DeviceInfo__X_FH_Account__X_FH_WebUserInfo__' option WebPassword '<Removed>' option WebSuperPassword 'B633193F7FDB2CF758572A34501FAD01' option WebSuperUsername '3F8B9BC17DED934E91559F809DCF334F' option WebUsername '26EE0AB437C406A66F849A961449A037' You can get the current username and password of the web logins using the command below: CODE cfg_cmd get InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebUsername cfg_cmd get InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebPassword You can also set the current username and password of the web logins using the command below: CODE cfg_cmd set InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebUsername myuser cfg_cmd set InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebPassword password123 I also tried extracting the superuser credentials this way but they didn't work. Not sure whether there is a separate config to enable the superuser account. CODE cfg_cmd get InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebSuperUsername cfg_cmd get InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebSuperPassword #cfg_cmd get InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebSuperUsername cmd get InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebSuperPasswordargc = 3 argv[0] = cfg_cmd argv[1] = get argv[2] = InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebSuperUsername get success!value=superadmin #cfg_cmd get InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebSuperPassword argc = 3 argv[0] = cfg_cmd argv[1] = get argv[2] = InternetGatewayDevice.DeviceInfo.X_FH_Account.X_FH_WebUserInfo.WebSuperPassword get success!value=f1ber@dm!n #
Card PM	Report Top Like Quote Reply

syahpian	Dec 10 2023, 10:49 AM Show posts by this member only \| IPv6 \| Post #11
Enthusiast Junior Member 811 posts Joined: Jul 2008 From: Kota Kinabalu <-> Kuala Lumpur	QUOTE(whirleyes @ Oct 30 2023, 06:04 PM) Learn so much from this https://techdator.net/fiberhome-devices-has...p-a-new-botnet/ I don't think they will release firmware update anytime soon. Best is to spread awareness, else it could be another Gwmndy botnet victim My intention is just to get root access so I can proceed with building OpenWrt image for this device. or at least can make some tweak to the original firmware. oh, nice, openwrt, will wait for it ps: my 666 post This post has been edited by syahpian: Dec 10 2023, 10:49 AM
Card PM	Report Top Like Quote Reply

MyProLife	Dec 10 2023, 03:40 PM Show posts by this member only \| IPv6 \| Post #12
I bully wumao & MPKL Senior Member 2,056 posts Joined: Sep 2021 From: nowhere	QUOTE(syahpian @ Dec 10 2023, 10:49 AM) oh, nice, openwrt, will wait for it ps: my 666 post Different to do port for now because fiber home using Econet (mediatek subsidiary) rather than mediatek itself, which has slightly difference in overall architecture, main problem is the ethernet blob from Econet (or it's precursors including trendchip/ralink) is different from mediatek own soc syahpian liked this post
Card PM	Report Top Like Quote Reply

prescott	Jan 22 2024, 09:00 AM Show posts by this member only \| Post #13
Casual Junior Member 324 posts Joined: Jan 2003 From: KL	QUOTE(failed.hashcheck @ Oct 30 2023, 07:15 PM) Apply to SR1041Y or not? Ironically this gonna be amazing find if it means I could get free reign to ssh to remove that retarded @unifi ssid suffix. Can use JS override in Chrome developer mode to remove @unifi ssid.
Card PM	Report Top Like Quote Reply

arturo_bandini	Jan 22 2024, 09:50 AM Show posts by this member only \| Post #14
Getting Started Junior Member 136 posts Joined: Aug 2005	QUOTE(whirleyes @ Oct 29 2023, 10:54 PM) Fiberhome Router SR1041F RP0105 ssh root backdoor It is possible to login ssh as root user by exploiting remote code execution vulnerability https://gist.github.com/whirleyes/c664c33ff...2c1446f2a97abb9 and backdoor factory access mode in dropbear Pre-authentication remote code execution allows anyone without logged in to send commands to the operating system as the root user. Thus, opening WAN port 80 could be unsafe for your network. This scenario involves a sequence of commands: 1. Enable factory mode 2. Remove root password 3. Restart dropbear (allow no password and use /var/passwd instead of /var/dropbear_passwd) 4. Open firewall SSH root backdoor execution https://gist.github.com/whirleyes/7916c5cd0...5aaceb2f50f837c Done submitting CVE. nice findings. hopefully someday you could share your thought process in finding this vulnerability. noobie question: i can't even get port forwarding to work on this router. [other thread which asks about this] mind giving a few pointers?
Card PM	Report Top Like Quote Reply

sss2sssss	Apr 8 2024, 09:47 PM Show posts by this member only \| IPv6 \| Post #15
I'm Abra Senior Member 1,329 posts Joined: May 2008	QUOTE(whirleyes @ Oct 29 2023, 10:54 PM) Fiberhome Router SR1041F RP0105 ssh root backdoor It is possible to login ssh as root user by exploiting remote code execution vulnerability https://gist.github.com/whirleyes/c664c33ff...2c1446f2a97abb9 and backdoor factory access mode in dropbear Pre-authentication remote code execution allows anyone without logged in to send commands to the operating system as the root user. Thus, opening WAN port 80 could be unsafe for your network. This scenario involves a sequence of commands: 1. Enable factory mode 2. Remove root password 3. Restart dropbear (allow no password and use /var/passwd instead of /var/dropbear_passwd) 4. Open firewall SSH root backdoor execution https://gist.github.com/whirleyes/7916c5cd0...5aaceb2f50f837c Done submitting CVE. Pardon to ask got the CVE submission details? Tried to find on CVE list but can't found it
Card PM	Report Top Like Quote Reply

AsuKi	Sep 6 2025, 07:41 PM Show posts by this member only \| Post #16
♥C.S.I♥ Senior Member 1,144 posts Joined: Jan 2003 From: Republik Of Kelantanese	no luck for openwrt yet?
Card PM	Report Top Like Quote Reply

ericmaxman	Sep 15 2025, 09:42 PM Show posts by this member only \| Post #17
- Senior Member 7,951 posts Joined: Sep 2005	QUOTE(AsuKi @ Sep 6 2025, 07:41 PM) no luck for openwrt yet? I think Econet is one step closer to getting openwrt.. The PR just got merged a couple of days ago: https://github.com/openwrt/openwrt/pull/19021
Card PM	Report Top Like Quote Reply

AsuKi	Nov 15 2025, 09:13 PM Show posts by this member only \| Post #18
♥C.S.I♥ Senior Member 1,144 posts Joined: Jan 2003 From: Republik Of Kelantanese	mencari firmware versi RP0105. dah puas google takde la pula orang nak host
Card PM	Report Top Like Quote Reply

« Next Oldest · Networks and Broadband · Next Newest »

Add Reply Options

Change to:

0.0172sec

0.54

5 queries

GZIP Disabled
Time is now: 25th November 2025 - 06:36 PM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.