Hacking Book | Free Online Hacking Learning


leakage of sensitive information in firmware of reverse router part2

Posted by graebner at 2020-04-05

In the previous article, we introduced various tools of unpacking router firmware in detail. After unpacking, you get the files in the firmware. The next step is to analyze the file to find the vulnerability. The target of this analysis is the TRENDnet router. The vulnerability analyzed is a remote access to the router permissions.

preliminary analysis

Through the router login interface, we know that the router model is TRENDnet tew-654tr, which is very helpful to collect the target information. Some features of the router are known through official introduction. Including supporting router, wireless access point, wireless access point client three modes, supporting NAT and stateful packet check defense attack, and having a simple web interface to support remote management. The latest version of firmware on the official website is v1.10b26. The firmware version analyzed in this article is v1.10b12, which can be downloaded here. For convenience, it is not suitable for file and other tools to collect information. Using binwalk directly to view bin file information, you can see that it is a relatively standard Linux based file system.

Using firmware mod kit to automatically unpack directly succeeded:

After unpacking successfully, the first thing is to look at the etc directory configuration file and startup script.

No valuable configuration file was found, but there is a startup script called RCS in the RC. D directory.

RCS usually initializes the service and environment at startup, so it's worth looking at it carefully.

The script is relatively simple, first set up some directories, then start system manager and TFTP, and finally load a kernel module. Let's take a look at TFTP.

Through the function name and some strings, it feels like a TFTP server that can be directly connected. Try connecting.

Looking for sensitive information

It is found that TFTP service is running and can connect directly. The next step is to find out where sensitive information is stored. From the comments in the RCS file, you can know that the system manager program can load the configuration file from flash. If the system manager writes the configuration file to the temporary directory or virtual memory disk, then we can download the configuration file directly. Find the file path used in system manager:

Several files with DB suffix attracted my attention. Each file has a file name with default backup file added. Almost all routers have the ability to restore the default configuration, so they must store the default configuration somewhere. If these DB files are router configuration files, it makes sense. But which file stores sensitive passwords and the like. Of course, you can download all three. When I first thought about viewing product information, I said that this router supports three modes: route, access point and access point client. The three DB here seem to correspond to the configuration of the three modes. Since remote web management is enabled for our test goal, it should be route mode, so download rt.db first.

SQLite database. Take a look at the data.

You can directly query the login password. Successfully logged in using the password in the database.

Through some simple analysis, we found a remote exploit vulnerability. Welcome to the world of embedded security ~ of course, this vulnerability seems to be a little frustrated. Some more interesting loopholes will continue in the next article.

In the latest version of firmware, the manufacturer directly disabled the function of booting TFTP to solve this problem.

*Reference source: devttys0, translation and arrangement / XD XD, reprint please indicate that it is from freebuf hacker and geek (freebuf. Com)