Security Basics
Bypassing Netgear`s router telnet lockout Jul 01 2013 11:12AM
Marcin R (kaktus9news gmail com)
Hello List,

I`m working on a project that involves customization of Netgear`s
WNDR4500 router firmware, especially it`busybox. This one specific
router was chosen because of extended flash and ram capacity as
copared to some other routers.
The extended functionality that i have embedded into the busybox
requires telnet daemon access in order to parse protocol control
commands.
Yes i know that opening telnet daemon is dangerous, but the telnet
link will be used in-house only
what I wanted to do is to enable "login" module in busybox
configuration and when i telnet locally to router lets say to
192.168.1.1 via "$ telnet 192.168.1.1"
and to be presented with telnet login/password prompt and then be
allowed busybox root access after successful auth.
Unfortunately, Netgear has implemented some sort of telnet lockout
protocol. Telnet is unresponsive until a specific packet is
transmitted then telnet opens straight to root without any auth(!)
That course of action is unacceptable. If I just enable "login" via
busybox config - the telnet lockout is still in place and sending the
control packet is still in place and i`m locked out of the telnet
completely.
what i want to do is to get rid of netgear`s "telnet lockout protocol"
altogether, enable "login" in busybox config and upon telneting be
presented with login prompt [with credentials configurable beforehand
in a file to be embedded into busybox config
so i could do something like this
$telnet 192.168.1.1
>login: root
>password: ************
>Welcome to Busybox.....

#

I was fighting this problem for a while to no success, however i
suspect that telnetd must be involved directly
during my search for difference between "stock" GPL Busybox 1.7.3
aval. on the net and "Netgear`s busybox" i`ve encountered a custom
precompiled MIPS birany named "telnetenable" not present within
original buysbox
As, thus fat, i`m unable to foster a solution on my own i`d greatly
appreciate some help.
In this email i`ve linked the following as attachments:
telnetenabled - the suspected MIPS binary
telnetenabled.idb - IDA Pro`s [32 bit] DB on the above file
telnetenable.py - a python script that sends to unlocking payload to
unmodified telnet [i used 192.168.1.1 as ip Gearguy as user and
Geardog as pass while invoking ]
busybox_telnetd.c - a telnetd source file taken from unmodified
busybox 1.7.3 downloaded from busybox home page
netgear_telnetd.c - file taken from netgear`s busybox [located under
SOURCE_ROOT/src/router/busybox-1.x.x/networking
the files are accessible here
https://drive.google.com/folderview?id=0B1pRWCpcUXvASFN6eldpdlpTS0E&usp=
sharing

Thank You

Marcin Kowalczyk

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus