Digisol DG-HR3400 Backdoor
Opening the Digisol DG-HR3400 Backdoor
It was when I spotted a new access point in the neighborhood, that had its WPS on by default, which is common with almost all modern home routers nowadays. After managing to authenticate with the default WPS pin, I fired up Nmap to have a better idea about the host.
Nmap scan report PORT STATE SERVICE 23/tcp open telnet 80/tcp open http MAC Address: 00:17:__:__:__:__ (Smartlink Network Systems Limited)
Nmap gave it all, what was needed, about the host. The vendor information pointed to Smartlink Network Systems Limited a leading networking company. The router belonged to the family of networking devices popularly known by Digisol, a subsidiary of Smartlink Network Systems Limited.
A Sneak-Peak At The DG-HR3400 Web Interface
The web interface on port 80, provided a login screen with the default username admin. A bit of googling for default admin password,and favour of luck let me in, as admin. The web interface gave a pretty much elaborate idea of the target, DG-HR3400, a popular and a widely used router model branded with Digisol.
 |
| web banner |
Knock-Knock!!! Anyone Backdoor? Telnet Here
Just when the novelty of admin privileged web interaction was worn off, I tried to dig deeper by knocking on the earlier discovered open telnet port with PuTTY.
 |
| admin telnet commands |
In search of a busybox powered shell, I scrolled through the list of managment commands. One that caught my attention was the cfgmib command. On issuing the aforementioned command with an all option, the PuTTY console was flooded with considerable amount of configuration outputs formatted as XML-like name value pairs.
 |
| cfgmib command options |
The get option of cfgmib command could display selective config items. On issuing the 'cfgmib get USERNAME_PASSWORD' command it displayed the username and password lists currently configured on the host.
 |
| username password values |
Voila! the command returned the configured usernames, their respective passwords, priority and a third value called BACKDOOR. Interesting ha?!!!
Admin account had a priority value of 0x02, and backdoor value 0x0.
User account had a priority value of 0x0 and backdoor value 0x0 as well.
Now comes the interesting value
Admin? Again?
The second occurrence of Admin had a priority value of 0x01 and backdoor value 0x01.
So did that mean the second admin account was valid as well. The only option to know was to give it a try.
 |
| admin backdoor telnet commands |
Success !!! We are authenticated. The second one works too. Then what's the difference? If we closely compare the list of commands available to the first admin account with priority 0x02 and the one with priority 0x01 , more are the commands at the disposal of the latter admin account. Now, the priority field makes sense. Doesn't it? What about the user account? Well its just minimal account with less privileges.
 |
| user telnet commands |
So what can we conclude? the admin account with priority 0x01 not only is valid, but also has more privileges than the normal admin account. And last but not the least its a BACKDOOR :D. Well the firmware authors themselves say so :P.
So far so good! But what about the backdoor account password? Is it hard-coded? To ensure this, I tried my luck with the same password in another device. But it failed!!! So the password is not hard-coded. What then could it be? Let us look at the values more closely.
 |
| backdoor password string |
Let us analyze the string. On the first look it is just a sequence of alpha-numeric characters. But if we look keenly, first four characters are alpha-numeric and the rest is plain text. Lets split the string into two parts, the first four alpha-numeric characters as the first and the plain text as the second segment. Lets focus on the first segment for now. The first thing that came to mind while closely associating with alpha-numeric characters is HEXADECIMAL NUMBERS. OK so what? It could be any random Hexadecimal number. Could it be a randomly generated string based on the hardware Id? To just ensure I was on the right track , I fired up PuTTY once again to get some hardware information. The show command provided me with list of options , of which version option suited well for what I was looking for.
 |
| password derived from mac address |
Do you all see what I see? No complex algorithms. No encryption. The first four characters of the password were the last four characters of the MAC_ADDRESS itself. Come on!!! It can't be that simple. Or can it be? But what about the plain text? Couldn't it be just a static plain text? I decided to rely on my intuitions and considered the second segment to be static. Trying was the only way to know it all. I grabbed the MAC address of another router of the same model and gave it a try.
Viola !!! I was in the router with system privileges.
All You Need to Know About Digisol DG-HR3400 Backdoor
BACKDOOR PASSWORD = Last four characters of MAC ADDRESS + the static string (airocon)
That's all for now. Stay safe. Stay secure. :)
Is there a way to get a real shell from here? With filesystem access?
ReplyDeleteHaven't really gone forward and tried to gain a shell to be honest. If your aim is to access filesystem, you might want to look under the hood and reverse the firmware.
ReplyDelete