Home page logo
/

basics logo Security Basics mailing list archives

Bypassing Netgear`s router telnet lockout
From: Marcin R <kaktus9news () gmail com>
Date: Mon, 1 Jul 2013 13:12:33 +0200

Hello List,

I`m working on a project that involves customization of Netgear`s
WNDR4500 router firmware, especially it`busybox. This one specific
router was chosen because of extended flash and ram capacity as
copared to some other routers.
The extended functionality that i have embedded into the busybox
requires telnet daemon access in order to parse protocol control
commands.
Yes i know that opening telnet daemon is dangerous, but the telnet
link will be used in-house only
what I wanted to do is to enable "login" module in busybox
configuration and when i telnet locally to router lets say to
192.168.1.1 via "$ telnet 192.168.1.1"
and  to be presented with telnet login/password prompt and then be
allowed busybox root access after successful auth.
Unfortunately,  Netgear has implemented some sort of telnet lockout
protocol. Telnet is unresponsive until a specific packet is
transmitted then telnet opens straight to root without any auth(!)
That course of action is unacceptable. If I just enable "login" via
busybox config - the telnet lockout is still in place and sending the
control packet is still in place and i`m locked out of the telnet
completely.
what i want to do is to get rid of netgear`s "telnet lockout protocol"
altogether, enable "login" in busybox config and upon telneting be
presented with login prompt [with credentials configurable beforehand
in a file to be embedded into busybox config
so i could do something like this
$telnet 192.168.1.1
login: root
password: ************
Welcome to Busybox.....

#

I was fighting this problem for a while to no success, however i
suspect that telnetd must be involved directly
during my search for difference between "stock" GPL Busybox 1.7.3
aval. on the net and "Netgear`s busybox"  i`ve encountered a custom
precompiled MIPS birany named "telnetenable" not present within
original buysbox
As, thus fat, i`m unable to foster a solution on my own i`d greatly
appreciate some help.
In this email i`ve linked the following as attachments:
telnetenabled - the suspected MIPS binary
telnetenabled.idb - IDA Pro`s [32 bit] DB on the above file
telnetenable.py - a python script that sends to unlocking payload to
unmodified telnet  [i used  192.168.1.1 as ip Gearguy as user and
Geardog as pass while invoking ]
busybox_telnetd.c - a telnetd source file taken from unmodified
busybox 1.7.3 downloaded from busybox home page
netgear_telnetd.c - file taken from netgear`s busybox [located under
SOURCE_ROOT/src/router/busybox-1.x.x/networking
the files are accessible here
https://drive.google.com/folderview?id=0B1pRWCpcUXvASFN6eldpdlpTS0E&usp=sharing

Thank You

Marcin Kowalczyk

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Bypassing Netgear`s router telnet lockout Marcin R (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault