Airtel Xstream Nokia G2425 - Root access

[ddpanda]

Has anyone able to gain root access to this ONT,

TLDR: need to create a new WAN interface

I recentlly got my hands on a Nokia g2425 device (spare). i was tinkering with it and found it has an airtel custom firmware and i can to much from enable mode either, wanted to try shell commands to see if we can upload generic zebra firmware (airtel firmware is based on the same) or try to covert this router just a managed switch. but cant since dont have password for shell.

Anyone able to break it or have the password, kindly share. I am guessing airtel uses same password on all models

 

[Z3R0C1PH3R]

The shell password is vulnerable to command injection, if you enter '; /bin/sh; # exactly with the single quote, it would drop you in a user shell, i dont know how to get root access yet,
source- Security Analysis of Nokia G-120W-F · Issue #99 · codeanit/til

 

[SomeGuy]

I've been able to get root shell access using the above thread as a guide:
Steps :
1. Go to backup/restore page on the web config to get your config.cfg
2. Use the python script here to decrypt the cfg
3. Add username and password in the decrypted cfg (now xml) to the telnetssh according to the blog post here : Unlocking IAM's Nokia G-240W-A router (Part 1) · 0x41.cf
Should look something like this : (Remember to enable the account, username and password both are 'admin' for this sample)

<TelnetSshAccount. n="TelnetSshAccount" t="staticObject">
<Enable rw="RW" t="boolean" v="True"></Enable>
<UserName ml="64" rw="RW" t="string" v="admin"></UserName>
<Password ml="64" rw="RW" t="string" v="OYdLWUVDdKQTPaCIeTqniA==" ealgo="ab"></Password>
</TelnetSshAccount.>

You also need to falsify the telnetdisabled and sshdisabled options

<X_ALU-COM_LanAccessCfg. n="LanAccessCfg" t="staticObject">
<HttpDisabled dv="false" rw="RW" t="boolean" v="False"></HttpDisabled>
<TelnetDisabled dv="false" rw="RW" t="boolean" v="False"></TelnetDisabled>
<IcmpEchoReqDisabled dv="false" rw="RW" t="boolean" v="False"></IcmpEchoReqDisabled>
<SshDisabled dv="true" rw="RW" t="boolean" v="False"></SshDisabled>
<HttpsDisabled dv="false" rw="RW" t="boolean" v="False"></HttpsDisabled>
<Tr69Disabled dv="true" rw="RW" t="boolean" v="True"></Tr69Disabled>
<SftpDisabled dv="true" rw="R" t="boolean" v="true"></SftpDisabled>
</X_ALU-COM_LanAccessCfg.>

4. Encrypt the xml back to cfg using -ple options and 0x13377331 magic
5. Restore the config using the web ui.

After reboot, you should be able to telnet into your router.
After that, you enter the following commands :
enable
shell

then after you get a prompt for entering password2, use
'; /bin/sh; #
to get shell root access

 

[SomeGuy]

Now I'm looking for a way to get unfettered access to the web ui

 

[qwertypop]

Found a way to enable (almost) all options in web UI. First get shell access with steps mentioned in above comments.
cd to /usr/exe and change the operator ID from default BRTI for airtel to MXXV

cd /usr/exe
./scfgtool set OperatorID MXXV

Changes would be visible right away. No need to reboot.

 

[Superstar]

I enabled all Options in web ui!
by changing the operator id to MXXV
but please check i am not able to delete wan connection profiles or add any new profile! please help!

I want to use this with my local isp

 

---

[Superstar]

Found a way to enable (almost) all options in web UI. First get shell access with steps mentioned in above comments.
cd to /usr/exe and change the operator ID from default BRTI for airtel to MXXV

cd /usr/exe
./scfgtool set OperatorID MXXV

Changes would be visible right away. No need to reboot.

Also was wondering can we run lightweight script? like “wakeonlan with a port forwarding” so where ever i be I can click my computer’s power on switch! 🌝

 

[qwertypop]

That's wierd. It is enabled for me. But I had played with many toggles in the XML before I figured this out so maybe some setting that I changed is also contributing to unlocking the wan page. Maybe try searching for InterfaceConfig in the XML and setting enable to true everywhere and uploading the config back.
If that doesn't work, you can always manually add pppoe username and password under <WANPPPConnection.1. tag

 

[Superstar]

can you please share your config using github or something? also please try creating a new wan connection list entry!

 

[Superstar]

That's wierd. It is enabled for me. But I had played with many toggles in the XML before I figured this out so maybe some setting that I changed is also contributing to unlocking the wan page. Maybe try searching for InterfaceConfig in the XML and setting enable to true everywhere and uploading the config back.
If that doesn't work, you can always manually add pppoe username and password under <WANPPPConnection.1. tag

i tried it but i think it'll be best if you pass on your working config.cfg 😅