Fully blown secret shell on the F@ST 4315U

Published on July 6th, 2016
by Dylanger Daly

Hey Guys,

Just a quick one, after opening the httpd up in IDA, we can see the following:
Screenshot from 2016-07-06 14-48-28

This function I’ve named unlock_cli_func echo’s 1 to /var/unlockcli

And is called when the save button is pressed on the accesscntr.html page however access is not granted on this page, we just see white.

That’s cool, but where’s my shell?

Cool indeed, unlockcli sounds pretty cool, but what can we do with it? Well!
So loading the file /lib/private/lib_cms_cli.so into IDA and pouring over some functions, we find cli_processHiddenCmd sounds, interesting right?

Screenshot from 2016-07-06 15-01-30

The first highlighted text is the command passed to the shell, fastsh interesting.. so this is the hidden in cli_processHiddenCmd this command allows you to get a full shell!
Its not all sunshine and daises as just running the command results in ‘Plesae input the shell password’ (Yes ‘Plesae’) being spat out. Lets take a closer look at the control flow of this function:

Screenshot from 2016-07-06 15-16-51

Lets name the function that spawns /bin/sh shell4u

What this flow shows us, is jump to shell4u if /var/unlockcli exists else ask for a ‘Shell Password’ (Call the access function, jump if the $v0 register is 0 / Jumps if the access function returned 0) So really, I think its just checking if the file exists, not what’s in it.

So the process is really quite simple,

  1. Use the command injection technique in the last post to echo 1 into /var/unlockcli (ping & echo 1 > /var/unlockcli)
  2. Enter UART mode
  3. Enter fastsh at the console and you’ll get dropped right into a full shell

 

Looking at refs to our /var/unlockcli we can actually see other functions that would be enabled if the file exists:

Screenshot from 2016-07-06 15-26-06

I would have a nice screenshot of the end result, however whilst trying to enable JTAG I shorted the wrong pins and bricked my device, please do be careful when soldering!

Also quick shout out to Revs Per Min from Whirlpool for helping me test other entries/methods to unlock this device!

I’ve ordered a new TP-Link Archer D7 AC1750 so stay tuned for more updates on that!

Dylanger Daly

If its Security, I'm there. I mainly work in the Security Research Field, most of my focus is Mobile Security, anything from the hardware to TrustZone to the Modem. Bypassing checks one NOP at a time.

You've reached the end!

back to top