Security Basics mailing list archives
Bypassing Netgear`s router telnet lockout
From: Marcin R <kaktus9news () gmail com>
Date: Mon, 1 Jul 2013 13:12:33 +0200
Hello List, I`m working on a project that involves customization of Netgear`s WNDR4500 router firmware, especially it`busybox. This one specific router was chosen because of extended flash and ram capacity as copared to some other routers. The extended functionality that i have embedded into the busybox requires telnet daemon access in order to parse protocol control commands. Yes i know that opening telnet daemon is dangerous, but the telnet link will be used in-house only what I wanted to do is to enable "login" module in busybox configuration and when i telnet locally to router lets say to 192.168.1.1 via "$ telnet 192.168.1.1" and to be presented with telnet login/password prompt and then be allowed busybox root access after successful auth. Unfortunately, Netgear has implemented some sort of telnet lockout protocol. Telnet is unresponsive until a specific packet is transmitted then telnet opens straight to root without any auth(!) That course of action is unacceptable. If I just enable "login" via busybox config - the telnet lockout is still in place and sending the control packet is still in place and i`m locked out of the telnet completely. what i want to do is to get rid of netgear`s "telnet lockout protocol" altogether, enable "login" in busybox config and upon telneting be presented with login prompt [with credentials configurable beforehand in a file to be embedded into busybox config so i could do something like this $telnet 192.168.1.1
login: root password: ************ Welcome to Busybox.....
# I was fighting this problem for a while to no success, however i suspect that telnetd must be involved directly during my search for difference between "stock" GPL Busybox 1.7.3 aval. on the net and "Netgear`s busybox" i`ve encountered a custom precompiled MIPS birany named "telnetenable" not present within original buysbox As, thus fat, i`m unable to foster a solution on my own i`d greatly appreciate some help. In this email i`ve linked the following as attachments: telnetenabled - the suspected MIPS binary telnetenabled.idb - IDA Pro`s [32 bit] DB on the above file telnetenable.py - a python script that sends to unlocking payload to unmodified telnet [i used 192.168.1.1 as ip Gearguy as user and Geardog as pass while invoking ] busybox_telnetd.c - a telnetd source file taken from unmodified busybox 1.7.3 downloaded from busybox home page netgear_telnetd.c - file taken from netgear`s busybox [located under SOURCE_ROOT/src/router/busybox-1.x.x/networking the files are accessible here https://drive.google.com/folderview?id=0B1pRWCpcUXvASFN6eldpdlpTS0E&usp=sharing Thank You Marcin Kowalczyk ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Bypassing Netgear`s router telnet lockout Marcin R (Jul 01)