Hi Folks,
I owned a D-Link DWR-921 HW:C3 with OpenWRT, but once no longer in use I decided to put the stock firmware back and as consequence the need to have a console root access. 😁
This device has been probably made by AMIT Enabling Wireless M2M-IoT - amit.com.tw
[!] Due to the impact it may have, credentials are hidden.
The FW image itself is basically standard, except for the squashfs header, which are in a non standard format and the unpack fails, no matter which tool you're gonna use.
By hand-made analysis, a pretty easy header portion swap has restored the structure. *Ask me on comments below or twitter if you wanna know more about that topic.*
My mainly goal was to get a console, telnet or ssh, or whatever.
Keep in mind: The /etc/passwd file has the login credentials for root with this encoded password:
root:$1$$N76hdwGfg11g0KdKbtyh21:0:0:root:/root:/bin/ash
A quick online search and the corresponding plaintext password is: amittima (the productor name palindromized: Amit Company)
Good to know, but not very useful at the moment, since there is no remote console available.
I
started out with the belief that I had to find a controllable variable
for a quick code injection, I would not have expected such a blatant
backdoor nowdays.
A brief check on rcS to get an idea of how the boot process is structured, and a quick shoot with Ghidra on httpd and commander ELFs.
Among all the strings in httpd, "telnetd -b 0.0.0.0" was the most interesting one.
A picture speaks more than a thousand words.
 | |
| httpd |
Yes, a GET request at the url http://ipmodem/atsq.txt cause the system call which starts the telnetd process on all interfaces. Yeah, all interfaces, WAN included. {facepalm}
Telnet service is up and running, but with the root/amittima tuple won't allow us to login.
In a few forums other users wrote they were unable to login as well
Serial console is enable by default on router serial, so I took the advantage with a USB-TTL interface to give a check on the passwd file:
# cat /ram/etc/passwd root:$1$$taSOMETHINGYOUHAVENOTTOKNOWJ41:0:0:root:/root:/bin/ash nobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin ftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin
The password must be overwritten by some process during the boot.
The /sbin/commander ELF is the only which contains "/etc/passwd" in the strings and has a file write attribute to that file.
 |
| commander |
Router settings in the flash are managed by csman and the root password is going to be ridden by csman and then encrypted by standard crypt(...) call.
Empty salt "$1$" confirmed already in the passwd file.
rdcsman is the console application included into the firmware to read variables into the config mtd partition structured in a way which I want to ignore.
# rdcsman 0x1 strPut things togheter:1) turn on the telnet: a GET request to routerip/atsq.txt (a browser is fine)DLinkPassword
2) root credentials are: root/
And that's it, we're in!
 | |
| telnet |
But, wait a sec... what if I search for RT305XL on shodan? I hopfully expect zero results but there are several of them.
Bonus:
D-Link DWR-925 telnet access --> root / DLinkPassword2
D-Link DWR-118 telnet access --> root / DLinkPassword
History:
12 Sep 2022: Vulnerability reported to D-Link
19 Sep 2022: No response, 2nd warning through email sent.
27 Sep 2022: D-Link has released a security bullettin. But they're not going to fix the backdoor.
Cheers!
RE-Solver
Nessun commento:
Posta un commento