How to 🦆 with Turkcell's Huawei ONT

July 4, 2021 // echel0n

How to 🦆 with Turkcell's Huawei ONT

What a time to be alive huh? I just wanted to change my modem's DNS server settings. With my enough reason to research, I have found a 0day vulnerability on the device which is mine then I was able to change it.

First of all, this research is done for no harm. I don't threaten everyone I just wanted to be able to change my DNS servers. For months, I was very upset about not be able to change my DNS servers from my modem. This option is disabled for customers by the default. I also did what my default is, I broke into firmare. I was forced to define my DNS servers on client-side over and over again, until this week. In default, Turkcell is giving customers a low-privilege web user to configure the ONT but they do not provide all control of the product. When I dumped the firmware of device, I have found a hidden acount which is named as "sUser", this user's password is not given to me. Anyway, frustation is over, my pi-hole is very happy to sinkhole the advertisements normally again.

Be ready for drama, I just want to tell something. The brands are trying to lockout the customers to small area of the product. They want control, they want you to not become the "real" owner of the product. They want, the customers must use as how it is provided. For what? How on earth, what kind of reason that made you think "Hhmmhmmmmmmmmm WE MUST DISABLE CHANGING DNS OPTIONS, HMMMMMMMMMMMMMMMMMMmmMpf YESSSsss"?

This reminds me my childhood. My parents were always telling me "dont" and blocking my events that they were afraid of. They only allowed me to be in front of the computer on fridays and saturdays, other than that it was forbidden for years. For example, they shutted down the modem in weekdays. I bought a new modem and hide in our house and set SSID to be invisible. They banned certain things because they thought "it was for my own good".(hello mom!!) This behaviour is relatable when you look from the perceptive of "being afraid of". They do not know what they are selling. They do not know how to seperate permissions and segment the product's functionality. these reasons push them to restrict the rights of their customers. Basically, they are protecting themselves from their customers. These reasons pushes them to "being afraid" of uncertain things.

Also it means, they do not want to deal with when customer configures some bad options then lose internet connection. Maybe in future, may you guys allow the customers to configure the product as what they want but put a sign "Before changing this options, you should consider the risk of not using your internet properly."?

Guess what, Turkcell? The options are not limited. The hackers will always find a way, always found a way for decades. This is our nature.

Please, we just want you to be the "internet provider" not the real "OWNER" of our property. No, I am not taking the "We can do what you want, just call customer service" answer. This is our default rights.

I am willing to get my proper CVE and give the technical details of the zero day to Huawei PSIRT but first I would like to know "sUser" password and the solid reason that why Turkcell is not informing us about it. It is up to Turkcell. We want our freedom.