I just swapped ISP's here in HK. For me that means my new ISP must pull in new fiber for there GPON service. This also comes with a new GPON converter.
In this case I was given a Acatel-Lucent I-020-G. This unit comes with one fiber SC type connector and two gigabit Ethernet ports. I always like to know whats inside something or how it works. So I went and found the manual for the device and started reading though all 7MB of it,
I notice that the default IP range for the device is 192,168.1.x/24. The manual also says the default user name is "root" and the default password is "admin", clearly this device runs Linux and I want in.
Next up I grab a network cable connect the GPON ONT to my laptop, set my laptops IP address to say 192.168.1.14/24 and run nmap at the device. Hello hello, something replies and look what is open :
# nmap 192.168.1.251 Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-21 10:38 HKT mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.1.251 Host is up (0.00040s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp filtered telnet 80/tcp open http MAC Address: xx:xx:xx:xx:xx:xx (Cambridge Industries(Group) Co.) Nmap done: 1 IP address (1 host up) scanned in 35.06 seconds #
Both http and ssh seem open. Lets try ssh into the device. As expected the ISP has not changed the default passwords. User names and passwords were found in the devices manual, IE the factory defaults. I can log into the web page of the device, however its not very interesting
Logged in as root:
I think by looking at the file system later on there are different "views" the device can serve up, but no idea how that that is set.
So off to try ssh, lets see what happens. Yep, the default user name gets me into a shell. Not sure what we can do, since I don't have a CLI manual.
ONT> ONT> help ONT>
OK, thats not very helpful. Lets be creative
ONT> enable #ONT> #ONT help Description: CLI Root +traffic Service CLI menu +system System CLI menu
Help menu's now work, and we have access to the devices status and configuration options.
Enable mode, gee I wonder where they got that idea from. Under system I see lots of interesting things.
Lets first take a look into the "env" menu. If you want to dump the devices current configuration, and passwords in plain text run the following command.
Very useful. Exit the "env" area by typing "exit"
Oh look what comes next a "shell" menu.
Lets enter the "shell" menu, by typing "shell" at the "#ONT/system/" level.
#ONT/system/shell>uname -a Linux (none) 188.8.131.52-cig-64 #14 Tue Jun 7 14:16:20 CST 2011 mips unknown
Yeah, it runs Linux cool!
The "#ONT" prompt is somewhat annoying to use. Let see if busybox is around..
#ONT/system/shell>busybox BusyBox v1.9.2 (2010-09-20 15:25:16 CST) multi-call binary Copyright (C) 1998-2007 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2. See source distribution for full notice. Usage: busybox [function] [arguments]... or: function [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as! Currently defined functions: [, [[, arp, ash, basename, bunzip2, bzcat, bzip2, cal, cat, catv, chgrp, chmod, chown, cksum, comm, cp, cut, date, dd, df, dirname, dmesg, dos2unix, du, echo, egrep, env, expand, expr, false, fgrep, fold, free, ftpget, ftpput, grep, gunzip, gzip, halt, head, hostid, hostname, id, ifconfig, inetd, init, insmod, install, ip, ipaddr, ipcs, iplink, iproute, iprule, iptunnel, kill, killall, length, linuxrc, ln, logname, logread, ls, lsmod, md5sum, mkdir, mkfifo, mknod, mktemp, modprobe, mount, mountpoint, mv, netstat, nice, nohup, od, pidof, ping, poweroff, printenv, printf, ps, pwd, readlink, realpath, reboot, rm, rmdir, rmmod, route, seq, sh, sha1sum, sleep, split, stat, stty, sum, sync, sysctl, syslogd, tail, tar, tee, telnet, test, top, touch, tr, true, tty, udhcpc, umount, uname, unexpand, uniq, unix2dos, usleep, uudecode, uuencode, vconfig, vi, wget, zcat
Bingo, we have a busybox shell, as you can see however its quite old and quite stripped down. This still won't get you out of the "#ONT" shell.
To get a real shell run :
#ONT/system/shell>sh BusyBox v1.9.2 (2010-09-20 15:25:16 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. #
Lets take a look at the /etc/passwd file.
root:$1$$lIN11JVA8dIRivYzVSCAM1:0:0:root:/root:/bin/sh ont:$1$0W32Tx87$1q2giRDPvyGZUYMn7YFqC/:500:500:Linux User,,,:/tmp/home/ont:/bin/sh daemon:*:1:1:daemon:/usr/sbin:/bin/sh bin:*:2:2:bin:/bin:/bin/sh sys:*:3:3:sys:/dev:/bin/sh sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/bin/sh man:*:6:12:man:/var/cache/man:/bin/sh lp:*:7:7:lp:/var/spool/lpd:/bin/sh mail:*:8:8:mail:/var/mail:/bin/sh news:*:9:9:news:/var/spool/news:/bin/sh uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh proxy:*:13:13:proxy:/bin:/bin/sh postgres:*:31:32:postgres:/var/lib/postgres:/bin/sh www-data:*:33:33:www-data:/var/www:/bin/sh backup:*:34:34:backup:/var/backups:/bin/sh operator:*:37:37:Operator:/var:/bin/sh list:*:38:38:Mailing List Manager:/var/list:/bin/sh irc:*:39:39:ircd:/var/run/ircd:/bin/sh gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:*:65534:65534:nobody:/nonexistent:/bin/sh sshd:*:101:65534::/var/run/sshd:/bin/false telnetd:!:102:102::/nonexistent:/bin/false```
OK so from reading the manual we know he "ont" user has a password of "ont" wow, much surprise. The ont user is pretty limited lets ignore it. Hang on a moment look at the root account, why is the shell "/bin/sh" but when we SSH in as root we get shunted to the "ONT" prompt.. Something does not add up.
Lets grab a copy of the /etc/passwd file. At this point the quickest way to get it is copy and past from the shell to a text file on my laptop. Note, this device does not have an "/etc/shadow" file, thus the password is stored in the passwd file. How very insecure, again.
Next up, lets run John the ripper at the /etc/passwd file we just copied. I will just use the default word list as I assume the vendor of the device is lazy.
$ ./john --wordlist=password.lst ont-passwd-file Loaded 2 password hashes with 2 different salts (md5crypt [MD5 32/64 X2]) Remaining 1 password hash Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:00 100% 0g/s 6447p/s 6447c/s 6447C/s notused..sss Session completed
$ ./john --show ont-passwd-file root:111111:0:0:root:/root:/bin/sh 1 password hash cracked, 1 left $
Good enough, there are only two accounts with passwords set, root and ont. You can now see that the root account has a different password.
OK, so now we can see the root user has a password of "111111" , how original.. This however differs from the manuals "admin" password.
Net up lets log in as the real root. Nope, denied. Dropbear must be doing something here to prevent the real root from logging in. Not sure what or how yet.
For now thats not important, I want a copy of the root file system and we can get still get a root shell via "#ONT" anyway. Lucky for us the vendor provides "pure-ftpd" binary under "/bin/"
Lets run that "/bin/pure-ftpd" By default, pure-ftpd should read user/pass combo's from /etc/passwd and /etc/shadow if present. Lets try log in as the real root via FTP. Successes we can log in, but wait we have been jailed to our home directory. Not much to see in /root/.
A small amount of security added to an overall insecure device.. yawn. I still want a copy of the root file system.
Simple, with the use of the "bind" mount option.
Enter the following in your root shell when logged in via SSH.
mount --bind / /root/
Now we have access to the root file system via our jailed home diretory. It is now a simple matter of using your favorite FTP client and log in as the real root to copy off the file system.
Do take note we also have around 1MB of "read-write" space mounted as "/mnt/rwfs". This allows us to run our own binaries if we like.
Hear is some details of the ONT.
cat /proc/cpuinfo system type : Broadlight Jasmine (BL2348 Evaluation) board processor : 0 cpu model : MIPS 24K V7.12 BogoMIPS : 297.98 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 VCED exceptions : not available VCEI exceptions : not available
cat /proc/meminfo MemTotal: 43648 kB MemFree: 19864 kB Buffers: 4064 kB Cached: 9788 kB SwapCached: 0 kB Active: 7608 kB Inactive: 11064 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 4832 kB Mapped: 5704 kB Slab: 2296 kB SReclaimable: 504 kB SUnreclaim: 1792 kB PageTables: 356 kB NFS_Unstable: 0 kB Bounce: 0 kB CommitLimit: 21824 kB Committed_AS: 9596 kB VmallocTotal: 1048404 kB VmallocUsed: 2332 kB VmallocChunk: 1045152 kB
File system :
# df Filesystem 1k-blocks Used Available Use% Mounted on rootfs 15504 15504 0 100% / /dev/root 15504 15504 0 100% / /dev/root 15504 15504 0 100% /dev/.static/dev /dev/mtdblock1 1536 956 580 62% /mnt/rwdir /dev/mtdblock2 15508 15508 0 100% /mnt/backupdir /dev/root 15504 15504 0 100% /root #
You can see from above, that last line is my "bind" mount of / to /root
Full dmesg log can be downloaded here
This just another reason why ISP supplied devices can not be trusted. The device also supports iptables so you could write some rules to help secure it. Just not 100% sure how to do that on the read only file system yet.
# iptables -V iptables v1.3.8 #
From the original nmap scan we can see that telnet is blocked. Hear is the iptables rules that take care of that. Oh no.... it would seem the vendor left telnet open on eth1 and ppp1. Sigh.
#ONT/system/shell>iptables -vL Chain INPUT (policy ACCEPT 1906 packets, 149K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- ppp1 any anywhere anywhere tcp dpt:telnet 0 0 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:telnet 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:telnet Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1098 packets, 149K bytes) pkts bytes target prot opt in out source destination
As a side note, I can not find the GPL source code on Alcatel-Lucent's web site. I have sent an email to the Software Freedom Conservancy to help raise awareness of possible GPL violations
Lastly, since there where no security screws in the deice here are some PCB images.
I am pretty sure one of the pin headers would be a TTL serial out put since the kernel's boot cmdline has "console=ttyS0,115200n8".
I have root over SSH so not much point. Unless we want to load our own firmware onto the device. Given I want my 1 Gigabit fiber connection I won't bother with firmware hacking.