This commit is contained in:
Jan Wachsmuth 2023-12-30 16:16:30 +01:00 committed by GitHub
parent 58550c0a37
commit 0e169110cf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 1 deletions

View file

@ -7,7 +7,7 @@ A few years ago I bought an Arylic Up2Stream Amp audio device to play and stream
Another feature that I really miss is "WiFi disable". There is a function to hide the SSID, but there is no way to disable WiFi completely. For security reasons, but also to avoid additional devices sending on the 2,4GHz WiFi band I like to have such a feature. That was the starting point to dig deeper into these devices. It turned out that these devices have a Linux CLI with a SoC similar to older Internet routers. I tried to document and share my findings with others. Another feature that I really miss is "WiFi disable". There is a function to hide the SSID, but there is no way to disable WiFi completely. For security reasons, but also to avoid additional devices sending on the 2,4GHz WiFi band I like to have such a feature. That was the starting point to dig deeper into these devices. It turned out that these devices have a Linux CLI with a SoC similar to older Internet routers. I tried to document and share my findings with others.
## Enable telnetd ## Enable telnetd
To get started exploring these devices, a security vulnerability had to be exploited. The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020) that still had a vulnerability in their code: internally a "sprintf" function was used to prepare a Linux CLI commands. That function was using an IP address as an input, but the input could be extended with ";" and additional commands to download and install a telnetd. To get started exploring these devices, a security vulnerability had to be exploited to install a telnetd.
## Hardware Information ## Hardware Information

7
TELNETD.md Normal file
View file

@ -0,0 +1,7 @@
# Enable telnetd
To enable telnetd on these devices, a security vulnerability had to be exploited. The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020) that still had a vulnerability in their code: internally a "sprintf" function was used to prepare a Linux CLI commands. That function was using an IP address as an input, but the input could be extended with ";" and additional commands to download and install a telnetd.
The command that has this vulnerability is "**_getsyslog_**", see https://developer.arylic.com/httpapi/#get-system-log and https://labs.withsecure.com/advisories/linkplay-firmware-wanlan-remote-code-execution. The command has an option to add an IP address from a slave device, e.g. "getsyslog:ip:10.1.1.90", so a CLI command is executed on the device to retrieve the system log from the slave device that includes the IP address. Instead of just having an IP address as a parameter, that CLI command can also include a ";" and a second CLI command.
curl "http://10.1.1.52/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;ifconfig+ra0+down+>+/tmp/web/cmd.out+2>+/tmp/web/cmd.err;"