Unlock MTS MBlaze Ultra Wi-Fi ZTE AC3633 Modem

Recently I bought an MTS MBlaze 3G Plus Wi-Fi USB Modem.  I picked it because it got pretty good tariff plans & speed compared to other providers in my area. The interesting thing is that it allowed up to 5 devices to connect to it via Wi-Fi. So it appears to me as a fast, cheap, and portable broadband alternative.  This device is manufactured by ZTE, a Chinese multinational telecommunications equipment, and systems company.

MBlaze has two way of operation:-

• Connect to Computer and use it like any other USB Net setter.
• Connect to a 5V charger and it will start a Wi-Fi network with connectivity up to 5 devices.

• As I am a Security Guy, I checked the Router web interface of the device and was surprised to see a hell lot of vulnerabilities in a new Device.

• One thing I noticed is that Wi-Fi WPA/WPA2/WEP Key is shown as plain text in the text box.

MTS MBlaze Wi-Fi Password

• After some digging outs, it was found that the passwords are hard coded in the source code. 
• The router web interface password is hard coded in the password reset page.

MTS MBlaze Router Credentials

• The worst thing was that the session maintaining cookie used by the router web interface is static. This Cookie (iusername=logined) is all you need to get an authenticated session. 
• As this session cookie is constant all the time, simply setting the cookie will give access to protected pages in the web interface.
• Another issue  I found was, that you can reset the router web interface password without knowing the old password. You don’t even need the session cookie for password resetting.
• The following request is a PoC to reset the password without knowing the old password and with an unauthenticated session. 
• This will be considered under OWASP Top 10- A4, Insecure Direct Object Reference.

POST /goform/formSyWebCfg HTTP/1.1 Host: 192.168.1.1 Content-Type: application/x-www-form-urlencoded Referer: https://192.168.1.1/en/password.asp Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,es;q=0.6,ms;q=0.4 Content-Length: 52 action=Apply&sys_cfg=changed&sys_password=newpass

• Most of the forms in the Router web interface lacks CSRF tokens which essentially make them vulnerable to Cross-Site Request Forgery.
• Putting it all together, I made a quick dirty python POC exploit for MTS MBlaze Ultra Wi-Fi / ZTE AC3633 that can do the following things.

• Bypass Login
• Extract IP Address, Subnet, Gateway Information
• Steal Router Credentials
• Steal Wi-Fi WPA/WPA2/WEP Key
• Reset Password without old password and valid session
• List out the CSRF affected pages

Download Exploit

GitHub

Attack Scenario:-

• Initially, attacker will exploit CSRF and make the victim to visit a page containing the following IFRAME

<iframe src="https://192.168.1.1/goform/formSyWebCfg?wl_encryption_ protocol=3&wl_ wpa_psk_mode=0&wl_wpa_psk_key=xboz&wl_auth_mode=0&oem_cfg=changed& action=Apply" width="0" height="0">

• Now the Wi-Fi Key is changed to xboz. From this point, the attacker can connect to the Wi-Fi network and execute the exploit to gain access to the MTS device.

You May Like More:-

1. Bsnl Evdo ZTE AC8700 Unlocking Solution Here
2. Universal Master Code Calculator to Generate All Zte Modems Unlocking Codes
3. Unlock ZTE N799D By Miracle CDMA Boss 1.3
4. Unlock ZTE MF29 Usb Modem (Guide) Free
5. Unlock Telstra ZTE MF668A 3G USB Modem Totally Free
6. Unlock Telstra ZTE MF821 3G USB Modem Totally Free
7. Unlock ZTE MF626 MTS RU Modem Totally Free via Firmware Upgrade Process
8. Unlock to ZTE AC2746 old ver / AC2766 / AC8720 Modems Free
9. How to Find and Get Huawei and Zte 3G Usb Modems Imei Number
10. Apn Settings for Mobile Internet USB Modem Dashboard