Security Basics
Bypassing Netgear`s router telnet lockout Jul 01 2013 11:12AM
Marcin R (kaktus9news gmail com)
Hello List,

I`m working on a project that involves customization of Netgear`s
WNDR4500 router firmware, especially it`busybox. This one specific
router was chosen because of extended flash and ram capacity as
copared to some other routers.
The extended functionality that i have embedded into the busybox
requires telnet daemon access in order to parse protocol control
Yes i know that opening telnet daemon is dangerous, but the telnet
link will be used in-house only
what I wanted to do is to enable "login" module in busybox
configuration and when i telnet locally to router lets say to via "$ telnet"
and to be presented with telnet login/password prompt and then be
allowed busybox root access after successful auth.
Unfortunately, Netgear has implemented some sort of telnet lockout
protocol. Telnet is unresponsive until a specific packet is
transmitted then telnet opens straight to root without any auth(!)
That course of action is unacceptable. If I just enable "login" via
busybox config - the telnet lockout is still in place and sending the
control packet is still in place and i`m locked out of the telnet
what i want to do is to get rid of netgear`s "telnet lockout protocol"
altogether, enable "login" in busybox config and upon telneting be
presented with login prompt [with credentials configurable beforehand
in a file to be embedded into busybox config
so i could do something like this
>login: root
>password: ************
>Welcome to Busybox.....


I was fighting this problem for a while to no success, however i
suspect that telnetd must be involved directly
during my search for difference between "stock" GPL Busybox 1.7.3
aval. on the net and "Netgear`s busybox" i`ve encountered a custom
precompiled MIPS birany named "telnetenable" not present within
original buysbox
As, thus fat, i`m unable to foster a solution on my own i`d greatly
appreciate some help.
In this email i`ve linked the following as attachments:
telnetenabled - the suspected MIPS binary
telnetenabled.idb - IDA Pro`s [32 bit] DB on the above file - a python script that sends to unlocking payload to
unmodified telnet [i used as ip Gearguy as user and
Geardog as pass while invoking ]
busybox_telnetd.c - a telnetd source file taken from unmodified
busybox 1.7.3 downloaded from busybox home page
netgear_telnetd.c - file taken from netgear`s busybox [located under
the files are accessible here

Thank You

Marcin Kowalczyk


Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.;4175;25;1371;0;5;946;e13b6be442

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus