Skip to content

Firmware Inspection

Jump to bottom
Mario Bartolomé edited this page Dec 20, 2019 · 3 revisions

This is the second of three mini-posts where I will write about some fun discoveries

0x02/0x03 : Firmware inspection and binary reversing to achieve RCE

Seeking some interesting info

While still intact, I ran an Nmap scanner against the router. It found an open telnet service running behind port 2301 (naughty naughty), which presents a login when opening a session to it.

Telnet logon at port 2301

But telnet has no login support by default... so it may be a modified version of telnet, or the system is using the -l flag on telnet command to set a binary that will take care of the login.

During the firmware inspection, and by having a look to the file rcS contained at etc_ro, the login management software behind the scenes can be found:

Login management sw behind the telnet service

So let's reverse it!

Reversing the login management binary

  • CVE-2019-14919. Affected product/version: Billion Smart Energy Router SG600R2. Firmw v3.02.rc6

This is kinda embarrassing... Just by checking the strings at the binary, the "Login incorrect" message appears to be next to the correct username and password. Straight away in clear-text. Embedded into the source. Some awesome programming practices here.

Let's go step by step. Start by instructing radare2 to analyze the binary by issuing aaaa to perform an in-deep analysis.

Then, by having a look to the strings at the data sections (use iz in radare2 to get information about the strings in data sections), the Login incorrect address seems to be stored in the .rodata section at address 0x00400d44.

Strings found at binary

By checking the cross-references the string has (use axt 0x00400d44to analyze xrefs to address), it's kinda easy to find that it was used only at the login process:

XRefs to string

So by navigating to that address (s 0x400ad8 to seek to an specific address) and checking the graphic view (VV to change to graphic View), the whole login process comes clear:

HardCoded credentials

And yup, the login works

Root shell

"Hidden" Root WebShell

  • CVE-2019-14920. Affected product/version: Billion Smart Energy Router SG600R2. Firmw v3.02.rc6

When rains, it pours!

While checking the file system, a really eye-catching name came up:

...the fuck is that?

The other files are listed as part of the administration of the router, but not this one... there's no sign of it at the panels:

No system command here

Feels like Christmas... Let's open it!

A hidden root webshell. All for me...

A root WebShell all for you!

And last but not least

Oh, yeah, the admin password... I found a file where the username and the password are stored:

Super hard password

Also a couple of wild stored XSS appeared... One of them with a really interesting exploitation path.

Check on the next part of this mini-writeup to find out more!

If you readed the whole annoying post you may want to know the user/pass:

user: hsinchu-binos2 \\ pass: 33659498

Clone this wiki locally