Anatomy of a Hack
7. Anatomy of a Hack
I'm always interested in customizing these boxes, so as I looked through the directories using the FTP interface, I kept an eye out for a place where I could get my own code to run such as a telnet or web server, or some additional program for customization purposes. But the directory structure appeared to be in a RAM disk and very well buttoned down with appropriate protections where only the "root" user had permission to write. I tried a few things, but got nowhere, so it was time to take a different approach.
Web applications are often the source of many security holes and any time user input is accepted, it's essential for programmers to validate such input. So while I was playing with the "Download" feature, I wondered if the URL I entered would be passed on without validation. In a Unix-like system, two commands can be executed on a single line in any number of ways. The simplest way is to separate two commands with a semicolon.
So if the URL I entered was passed on unmodified, all I would have to do is tack a new command onto the end of the URL separated with a semicolon, such as the Unix command:
;ps>/tmp/log
to the end of a bogus URL, making the final URL read as follows:
http://a/;ps>/tmp/log
If this worked when I submitted the URL, I would find a listing of all running processes in a file named log located in the /tmp directory. Fortunately, the Download form even has a handy Test button to permit URLs to be tested, so I could try different options without having to define a real download job.
So for my first attempt, I entered the URL above and hit the Test button. Then I FTP'ed into the box, went to the /tmp directory and Voila! I found a file named log . Even better, looking into the file revealed this line along with all of the other processes:
1609 root 396 S sh -c wget -T9 -t1 -V http://a/;ps>/tmp/log
This confirmed my guess that the command in the URL was passed directly to a command shell without modification. Even better, it ran with root privileges! Game over. I now "owned" this box and could do anything I wanted. To make life a bit easier, I verified I could run a custom script from the hard drive.
Since my Linksys WRT54G is also a Linux-based MIPS box, I grabbed a web server from my WRT54g distribution, put the executable on the hard drive, and added commands to my script to start it up on port 8000. So when I executed my script from the Download page, I had a new, custom web server running on port 8000. At this point I was confident that given time, I could take the box as far as I wanted, adding an MP3 server, a database, and so forth.
NOTE! This vulnerability has been reported to TRENDnet, which is in the process of creating new firmware to close this security hole. Howver, the firmware available at the time of this review's posting (TSU200.1.86.0325.2005.zip) contains the security hole.
- Previous page Under the Covers
- Next page Closing Thoughts
