Friday, August 19, 2011

BSNL router hacking and possibility of running custom code over it

Hi all,


I am sorry I have been inactive due to my job, i actually got free this weekend and there we go, i was at home. ta home I am having BSNL connection, and for those who dont know what BSNL is, its the AT&T of India, bad service , too much blank spots and connections which flap/drop/disconnect like there is no tomorrow. Worst, I was on my android, trying to get the latest of cyanogen nightlies . I was frustrated by the services of BSNL. Hence I decided to mess with the router itself.


BSNL router on closer inspection is manufactured by SEMIndia and distributed by ITI. It follows the tracks of using firmware of different routers (Broadcom to be specific, BCM96338 stands for Broadcom router firmware version 96338, deployed in US robotics ones and some other popular routers). mine is DNA-A211-1 , one of most popular ones in India.






and then its just configured accordingly wrt ISP. This time, I left the network part, as i do it all the time in my office with Cisco, focused more on the router and firmware itself.




Warning :
I am not responsible for getting your router trashed, getting wings and trying to kill you. try on your own risk, I am not responsible for your stupidity.




I didn't had a PC (trashed due to burnt ram), so I have to do everything on my android, so pardon for small screen area, understand my plight. T-netted into Router
(PS : screencaps of android may be a bit distorted as shootme app was not working properly over nightly #120)








the first step was to know what was into it, so typed the usual help.






lots of commands :) ran swversion to get the version and see what was this upto.
With some hunting , i came to know that "sh" command runs over my router , ran it and voila, familiar interface of busybox snaps in.






great..now thats worth something. My android has it too :)) seeing the version made me tick , it was running an older version of busybox. For those who don't know hat busybox is, its a multicall binary. Tried ls, but it didnt worked, hence tried echo *, listed everything :)






bingo..tried cat /etc/passwd and there we go again.








after that, i thought why not to check what other directories have. got into CVS and got information regarding CVS and pserver, noteworthy one is the credentials of pserver






pserver:sunila@192.168.128.19:/home/cvsroot


not much of an interest as they are of a private LAN, googled to find it was configured by Sunil A, employee at SIEMIndia. Again,opened Repository






SemIndia/Engineering/Products/ADSL2Plus/Integ_Source/targets/fs.src


maybe a private repo at SIEM. neverthless..


moved on to /etc






lots of directories here..as a rule of thumb I opened default.cfg






Generic stuff, but what caught my eye was this


<ppp_conId1 userName="multiplay" password="bXVsdGlwbGF5"


This might come in handy (use your creativity :)) ) . But then I thought that why not to access the router from web interface. I did it.
Went to management and downloaded the backupsettings.conf file,








opened it and there we go,






I was not able to find the above credentials in it, hence I came to a conclusion that they must be somewhat of higher privilege level.
Moving on..I thought why not to try to create an arbitrary file . Tried
echo ‘rishrockz’ >> rdx


on every directory (I was not able to determine the file permissions as the version of busybox doesn’t has ls/stat ) Finally came to know that /var is writable. Tried creating a file there
echo ‘rishrockz’ >> rdx
file was created : )))))
and then
cat /var/rdx


: ))))
Congrats, you have run/done it :) )
Now I thought why not to upgrade busybox/upgrade firmware/upload scripts over the router, tried tftp


didn’t worked. Then I checked if the tftp daemon was running as a service, it was. yet somehow I was not able to run it. :(


Strange. I thought forget it (small screen keyboard and android research limitation -> frustration) . Well.. next time I will be thinking of going to compile programs (http://people.debian.org/~debacle/cross/) and copying over them using echo (once I get a PC) , I have got some nice ideas and will be deploying them .
In the mean time, for those who are wondering what this machine has, here is the bootup log.


  1. Observation 1 # - code can be run over the router , but files must be copied using echo (-ne with append option) or tftp. Since busybox is there, we can easily insert a kernel module to be run.
  2. Observation 2# - the webs directory has a lot of html files, maybe manipulated for xss attacks (i didnt covered it as its not my domain, some better guys can do it)
  3. Observation 3# - private CVS credentials of Siemindia pserver. insider attack ? :D kidding. pserver is already much insecure, but since i have seen a lot of organisations using stock/easily guessable passwords for their outer router/firewalls/vpn servers, its not a tough nut to crack.
  4. Observation 4# (most important) - BSNL SUCKS !




Till then .. Stay Gold


-
Rishabh Dangwal

No comments:

Post a Comment