[wplug] Hacking the Actiontec Dual PC Modem Router
William R. Lorenz
wrl at express.org
Thu Aug 28 09:49:56 EDT 2003
While I didn't see much response on the OhioLinux post, I'm still excited
at the prospect of InterLUG sharing, and thought I'd pass along this nifty
post about hacking the Actiontec embedded Linux modem. I'm wondering how
long it will take for the stores to clear out after people find out these
$50 modems run Linux, use embedded SOC stuff & TFTP/BOOTP loaders, and
include two analog modems and two standard Ethernet ports, as well! ;)
-- _
__ __ ___ _| | William R. Lorenz <wrl at express.org>
\ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was
\./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson
---------- Forwarded message ----------
Date: Wed, 27 Aug 2003 00:57:48 -0400 (EDT)
From: Greg Boehnlein <damin at nacs.net>
Reply-To: talk at clevelandlug.net
To: linux at lists.nooss.org, talk at clevelandlug.net
Subject: [lugc-talk] Hacking the Actiontec Dual PC Modem Router
Hello,
Last weekend, I went shopping at Microcenter to pick up a bunch of
really cheap stuff to help network my parents 3 computers. Aside from the
$19 SMC 802.11b wireless cards and the $19 Belkin Wirless Access Point /
Router there are a TON of great deals available at the Mayfield
Microcenter. The Belkin 802.11b AP Router kicks ass! It's got a really
strong transmitter, supports PPPoE, has a great IDS / Firewall setup and
is a great piece of gear. If you have an ADSL modem and service through
N2Net (or another provider) this makes a GREAT router to network your home
systems together.
In any case, my parents have no need for Broadband and couldn't
get it even if they wanted it, so I was hoping to find an Analog Modem
Router at Microcenter. In the old days, we used to use a device called a
Webramp from Ramp Technologies, but they went out of business so I needed
an alternative.
As I was browsing around the analog modem aisle, I came accross an
Actiontec Dual PC Modem. According to the box, this unit has 2 100 megabit
ethernet ports, a built in V.92 modem and provides DHCP and NAT
translation services to the LAN. For $50, it seemed like a good deal so I
picked it up. Check out the following info link: http://myturl.com/0009j
When I got it home and plugged it in, the configuration was a
complete breeze. It took about 60 seconds to get it configured and
working, and another 60 seconds to realize that I hadn't checked the Dial
On Demand box in the Web based setup program. After that it worked like a
charm.
Out of curiosity, I ran a port scan of the box from my Laptop and
came up with an active Telnet port. Figuring that this router probably has
an undocumented command line mode, allowing you to mess with it, I
connected to it. Here is what I saw:
Connected to 192.168.0.1
Escape character is '^]'.
uClinux login:
Uhh.. this thing runs embedded Linux. That just kicks ass. That means that
if I can get access to it, I can bend it to my will and make it do
whatever I want. Unfortunately, the Web interface AND the telnet interface
are also available on the WAN side, and the Web interface doesn't require
any authentication, which means that anyone can access and CHANGE my
router's configuration. Evil, bad!
So I called Actiontec technical support to ask them if they had any way of
disabling the Web interface, and in the absence of that, if they could
provide me with a password to get into the router via Telnet. They weren't
much help, but they did escalate my call to their engineers, who weren't
much better, but DID say that they would be releasing an updated firmware
this evening and I might want to try that out.
Well, that was a start, but it did not solve my immediate problem and they
weren't able to get me the password. So I figured I'd try to hack it.
After several attempts, and no success I checked their website and found
their new firmware. I downloaded it, extracted it and noticed that the
firmware "update" process was nothing more than a TFTP upload of a kernel,
a boot loader and a rom based filesystem. The files were:
-rw-r--r-- 1 root root 58704 Aug 22 15:19 boot-ldr.bin
-rw-r--r-- 1 root root 73728 Aug 22 15:19 dpcm_upgrade.exe
-rw-r--r-- 1 root root 513655 Aug 22 15:19 linuz
-rw-r--r-- 1 root root 1362944 Aug 22 15:19 romdisk.img
-rw-r--r-- 1 root root 83 Aug 22 15:19 tftpupd1.ini
-rw-r--r-- 1 root root 114 Aug 22 15:19 tftpupd2.ini
-rw-r--r-- 1 root root 0 Aug 22 15:19 tiburon.rbt
-rw-r--r-- 1 root root 13 Aug 22 15:19 upgrade.ini
-rw-r--r-- 1 root root 18 Aug 22 15:19 ver.dat
Dissecting the tftpupd*.ini files yielded:
janine:~/ActionTec# cat *.ini
binary
put linuz linuz
put romdisk.img romdisk.img
put tiburon.rbt tiburon.rbt
binary
put boot-ldr.bin boot-ldr.bin
put linuz linuz
put romdisk.img romdisk.img
put tiburon.rbt tiburon.rbt
pid=tiburon
More on that later.. In the meantime, I ran a Nessus vunerability
assessment against the box, and came up with the following warning for the
Webserver (It runs boa http://www.boa.org):
The following requests seem to allow the reading of sensitive files or
XSS. You should manually try them to see if anything bad happens :
/cgi-bin/testcgi?AcTiOnNeXt=/etc/passwd
OK.. so not only can people on the net access the Web configuration
interface, the CGI's are written so sloppily that people can read any file
on the filesystem. This is really bad.
So I tried to hack around and see if I could get the cgi to execute
commands on the router without luck. I was able to see virutally
everything that I needed to see, specifically to verify that a /bin/sh
existed and that a root account was on the box.
At this point, it was my mission to get root on this thing. ;) It had
moved past a simple security related issue to an obsession about getting
in and making it do my bidding. I've done a lot of work with embedded
Linux over the years, but this $50 piece of equipment with a built in
modem and two 100 meg ethernet ports held a LOT of possibilities!
I determined that the easiest way to get root on the box, in the absence
of having ActionTec provide me the password, was to get ahold of the
passwd and shadow files and run a brute force attack on it. I wasn't able
to access the shadow file via the CGI, so I started looking for
alternative ways to get the information. After all, I did have the kernel,
boot loader and the romdisk fileystem image, so I should be able to mount
it.
On a hunch, I tried mounting the filesystem using the romfs filesystem
driver in the Linux kernel. This was accomplished via:
mount -r -o loop -t romfs ./romdisk.img /mnt/romfs
Success!
janine:~/ActionTec# mount
/dev/hda3 on / type ext2 (rw)
proc on /proc type proc (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/root/ActionTec/romdisk.img on /mnt/romfs type romfs (ro,loop=/dev/loop0)
So now I had complete access to the filesystem, and I could look around at
how the thing booted, what commands were available.. But no shadow file
anwhere on the filesystem. OK, maybe they don't want anyone to log in at
all. The passwd file is extremely minimal:
root:x:0:0:root:/root:/bin/bash
demo:x:5000:100:Demo User:/home/demo:/bin/bash
nobody:x:65534:65534:Nobody:/htdocs:/bin/bash
I spent some time looking around the filesystem and getting a handle on
how this thing works, and what it used. Basically, it boots the Linux
kernel, creates a RamDisk, copies some files to it, starts some services
(diald, dhcpd and the boa Webserver) and then just sits there. Here is the
startup script:
#!/bin/sh
# set up the hostname
/bin/hostname uClinux
# attach the interfaces
# adding the local loopback
/sbin/ifattach
# expand the ramdisk
echo Expanding the ramdisk ...
/sbin/expand /etc/ramfs256.img /dev/ram0
# mount ramdisk, proc and nfs
echo Mounting ext2 file system ...
/bin/mount -text2 /dev/ram0 /var
echo Mounting proc file system ...
/bin/mount -tproc proc /proc
echo Building the read write directories
/bin/mkdir /var/tmp
/bin/mkdir /var/usr
/bin/mkdir /var/config
# create directories
echo "/bin/mkdir /var/ppp"
/bin/mkdir /var/ppp
echo "/bin/mkdir /var/config"
/bin/mkdir /var/config
/bin/mkdir /var/tftpboot
# copy files
echo "/bin/cp /etc/ppp.org/* /var/ppp"
/bin/cp - /etc/ppp.org/* /var/ppp
echo "/bin/cp /etc/config.org/* /var/config"
/bin/cp /etc/config.org/* /var/config
echo "/bin/cp /etc/dhcpd.conf.org /var/dhcpd.conf"
/bin/cp /etc/dhcpd.conf.org /var/dhcpd.conf
echo "/bin/cp /etc/dhcpd.iplist.org /var/dhcpd.iplist"
/bin/cp /etc/dhcpd.iplist.org /var/dhcpd.iplist
echo "/bin/cp /etc/boa.conf /var/boa.conf"
/bin/cp /etc/boa.conf.org /var/boa.conf
echo "/bin/cp /etc/resolv.conf /var/resolv.conf"
/bin/cp /etc/resolv.conf.org /var/resolv.conf
# read the config from flash
/htdocs/readconfig
# start services
/sbin/inetd &
/sbin/boa &
/htdocs/ledwatch &
/sbin/sled /dev/ttyS2 &
/sbin/telnetd &
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
exit 0
Note how simple and elegant this solution is! :) It rocks! But think about
the possibilities! You could add your own iptables rulesets, add
additional services... virtually anything you wanted!
So.. I started thinking.. how can I modify this filesystem to meet my
needs (increasing security)? Romfs filesystems are mounted read-only and
are generated using a utility called "genromfs" (apt-get install genromfs)
so you need to copy them out, change them and re-generate the filesystem
image. No big deal at all.. Here is a snapshot of my history file:
517 mkdir newromfs <- Make a directory to put the new filesystem in
518 cd /mnt/romfs/ <- Change to the filesystem
519 find . | cpio -pudmv ~/newromfs/ <- Copy it out
520 vi /root/newromfs/etc/rc <- Edit the startup script
521 genromfs -d /root/newromfs/ -f /tmp/romdisk.img <- Make new romfs image
For posterity, I added the following iptables rules to deny remote access:
/sbin/iptables -A INPUT -j REJECT -i ppp0 --protocol tcp --destination-port 80
/sbin/iptables -A INPUT -j REJECT -i ppp0 --protocol tcp --destination-port 23
Strangely enough, these are the same lines that were added to a later
release of the firmware that night by Actiontec after I called their
engineering team to tell them what I had done. ;)
Alright, so I have a modified romdisk.img file. Now I just need to do the
upgrade. I renamed the original romdisk.img file and copied my modified
version into the directory. Ran the upgrade program and waited for the box
to reboot. It came back online without a problem, and as a bonus the Web
and Telnet interfaces are no longer available to the public.
Meanwhile, back on #linux on irc.nooss.org, I was posting my progress, and
Panix suggested that I should try the password "uClinux". So I did. And it
worked. I got a shell on the router. Which is, of course, great and also
sucks really bad. The telnet banner is the root password. Actually, I
later found out that you can use ANY username with that password and get
access. Bad bad bad.
Oh well.. now that I have complete control over the box, I can do whatever
the hell I want with it, and if Actiontec won't fix problems or goes out
of business (Cough* Cough* Webramp Cough* Cough*) I'll still be able to
upgrade, change, modify and generally use this wonderful embedded Linux
device. For $50, it is a HECK of a deal for anyone that wants to
experiment with Embedded linux. It uses a 2.4 kernel running the uClinux
(http://www.uclinux.org) distribution, so you have plenty of options!
Now I need to add port-forwarding and more intelligent iptables rules!
Comments?
--
Vice President of N2Net, a New Age Consulting Service, Inc. Company
http://www.n2net.net Where everything clicks into place!
KP-216-121-ST
--
LUGC Talk
talk at clevelandlug.net
Unsubscribe: talk-unsubscribe at clevelandlug.net
More information about the wplug
mailing list