I have got Comtrend VI-3223u router from my ISP. Unfortunaly they do not give you full access to this router. Recently I have discovered that with limited access you cannot do even simple things like configuring static IP address in DHCP or setting up parental control. If you are interested how to get full access for this router then this article is for you.
Before we start I assume that you have access to your router via http (the most common location is http://192.168.1.1) and you can login with user with limited rights. Let’s assume that login name is “user“ (it is in my case).
Investigating open ports
If you login with user via http then you can find that there is limit set of settings you can change. Let’s check other means to access the router:
$ nmap 192.168.1.1 Starting Nmap 5.51 ( http://nmap.org ) at 2016-03-02 22:40 CET Nmap scan report for Comtrend. Home (192.168.1.1) Host is up (0.0037s latency). Not shown: 993 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5431/tcp open park-agent
As you can see the router has a few interesting ports to check: ftp, ssh, telnet. Unfortunately I could not get anything useful neither from telnet nor ssh:
$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to comtrend.home. Escape character is '^]'. Connection closed by foreign host. $ ssh email@example.com ssh_exchange_identification: read: Connection reset by peer
I have not tried ftp. Maybe it has some holes?
Looking for hidden html content
Before I started to fiddle around with router I checked the Internet if there were any available exploits for this router. I could not find anything. The only thing I found was some hidden html pages. Hidden in the sense that there are no direct links to them from router web pages. These pages proved to be useful.
http://192.168.1.1/password.html allows to change user’s password. Unfortunately only if you know the current password. But it gave insights into different accounts on the router:
Access Control -- Passwords Access to your broadband router is controlled through three user accounts: ADMIN_ACCOUNT_1, ADMIN_ACCOUNT_2, and user. The user name "ADMIN_ACCOUNT_1" has unrestricted access to change and view configuration of your Broadband Router. The user name "ADMIN_ACCOUNT_2" is used to allow an ISP technician to access your Broadband Router for maintenance and to run diagnostics. The user name "user" can access the Broadband Router, view configuration settings and statistics, as well as, update the router's software.
Ok, so now we know that there are two more accounts (admin and support) with higher access rights than user. I tried many stanadard passwords like (admin, 12345, root) but it did not work.
The next interesting hidden html page is http://192.168.1.1/backupsettings.conf It collects all router settings (even those that you cannot see or modify using user account) and gives it to you as an xml file. It contains all information to setup internet connection. You can use them to setup own router instead of Comtrend VI-3223u provided by ISP. I almost decided to go this way. But then I noticed that this config file contains my user password (base64 encoded) to access the router:
<X_BROADCOM_COM_LoginCfg> <UserPassword>c29tZXBhc3N3b3JkaGVyZQo=</UserPassword> </X_BROADCOM_COM_LoginCfg>
It would have been convinient if it had AdminPassword and SupportPassword as well. What would happen if I add admin and support passwords to this config file and upload it back to the router. Luckily there is another hidden webage to upload config file to router http://192.168.1.1/updatesettings.html. Let’s modify config file and try to update router settings:
<X_BROADCOM_COM_LoginCfg> <AdminPassword>c29tZXBhc3N3b3JkaGVyZQo=</AdminPassword> <SupportPassword>c29tZXBhc3N3b3JkaGVyZQo=</SupportPassword> <UserPassword>c29tZXBhc3N3b3JkaGVyZQo=</UserPassword> </X_BROADCOM_COM_LoginCfg>
<AdminPassword notification="2">c29tZXBhc3N3b3JkaGVyZQo=</AdminPassword>as he describes it here.
For simplicity I used the same password as user‘s password for admin and support accounts. Go to http://192.168.1.1/updatesettings.html and update router setting using modified config file. Wait for it to come back.
Once the router comes back try login with ADMIN_ACCOUNT_1(you get admin account name from http://192.168.1.1/password.html) user name and user’s password. WOW, it works! I have got full right access to my router. Finally I could setup static DHCP addresses and parental control.
But can we go further? Who would not like shell access to his router?
Getting shell access
Using your admin account in the web client of the router navigate to Management > Access Control > Services. Put ssh and telnet into LAN+WAN access mode. Save settings and let’s try telnet again:
$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to comtrend.home. Escape character is '^]'. Broadband Router Login: ADMIN_ACCOUNT_1 Password: <known users password here> > help ? help reboot psp ps dns cat ... many more other commands
Wow, now telnet works. But unfortunately it does not have useful commands like ls, only cat. But even using cat we can get some interesting info:
> cat /etc/passwd ADMIN_ACCOUNT_1:hashed_password:0:0:Administrator:/:/bin/sh ADMIN_ACCOUNT_2:hashed_password:0:0:Technical Support:/:/bin/sh user:hashed_password:0:0:Normal User:/:/bin/sh nobody:hashed_password:0:0:nobody for ftp:/:/bin/sh
This is not really useful since we already know the admin’s password and even know how to change it. Let’s see if we can execute something outside of provided commands by telnet. Check if semicolon can help us:
> echo ; ls Warning: operator ; is not supported!
Bummer… But what about pipe?
> echo | ls bin dev lib mnt proc sys usr webs data etc linuxrc opt sbin tmp var
It works! You can run any availalbe shell command (ls, cp, rm, mkdir,… check bin directory to see more) using “pipe” trick.
Now you are only limited by your imagination. To make your investigations easier you can connect usb driveto the router
and cp everything to this drive:
echo | ls cp bin etc lib /mnt/usb1_1/.