-
Notifications
You must be signed in to change notification settings - Fork 1
Firmware Inspection
This is the second of three mini-posts where I will write about some fun discoveries
- 1/3: Dissecting a
piñataRouter - 2/3: Inspecting a router's firmware and reversing binaries to achieve RCE
- 3/3: Stored XSS via DHCP injection
While still intact, I ran an Nmap scanner against the router. It found an open telnet service running behind port 2301 (naughty naughty), which presents a login when opening a session to it.
But telnet has no login support by default... so it may be a modified version of telnet, or the system is using the -l
flag on telnet command to set a binary that will take care of the login.
During the firmware inspection, and by having a look to the file rcS
contained at etc_ro
, the login management software behind the scenes can be found:
So let's reverse it!
- CVE-2019-14919. Affected product/version: Billion Smart Energy Router SG600R2. Firmw v3.02.rc6
This is kinda embarrassing... Just by checking the strings at the binary, the "Login incorrect" message appears to be next to the correct username and password. Straight away in clear-text. Embedded into the source. Some awesome programming practices here.
Let's go step by step. Start by instructing radare2 to analyze the binary by issuing aaaa
to perform an in-deep analysis.
Then, by having a look to the strings at the data sections (use iz
in radare2 to get information about the strings in data sections), the Login incorrect address seems to be stored in the .rodata
section at address 0x00400d44
.
By checking the cross-references the string has (use axt 0x00400d44
to a
nalyze x
refs t
o address), it's kinda easy to find that it was used only at the login process:
So by navigating to that address (s 0x400ad8
to s
eek to an specific address) and checking the graphic view (VV
to change to graphic View), the whole login process comes clear:
And yup, the login works
- CVE-2019-14920. Affected product/version: Billion Smart Energy Router SG600R2. Firmw v3.02.rc6
When rains, it pours!
While checking the file system, a really eye-catching name came up:
The other files are listed as part of the administration of the router, but not this one... there's no sign of it at the panels:
Feels like Christmas... Let's open it!
A hidden root webshell. All for me...
Oh, yeah, the admin password... I found a file where the username and the password are stored:
Also a couple of wild stored XSS appeared... One of them with a really interesting exploitation path.
Check on the next part of this mini-writeup to find out more!
If you readed the whole annoying post you may want to know the user/pass:
user: hsinchu-binos2
\\ pass: 33659498