Rooted Alcatel-Lucent GPON ONT devices by Brendan Horan

I just swapped ISP's here in HK. For me that means my new ISP must pull in new fiber for there GPON service. This also comes with a new GPON converter.

In this case I was given a Acatel-Lucent I-020-G. This unit comes with one fiber SC type connector and two gigabit Ethernet ports. I always like to know whats inside something or how it works. So I went and found the manual for the device and started reading though all 7MB of it,

I notice that the default IP range for the device is 192,168.1.x/24. The manual also says the default user name is "root" and the default password is "admin", clearly this device runs Linux and I want in.

Next up I grab a network cable connect the GPON ONT to my laptop, set my laptops IP address to say 192.168.1.14/24 and run nmap at the device. Hello hello, something replies and look what is open :

# nmap 192.168.1.251

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-21 10:38 HKT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.251
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE
22/tcp open     ssh
23/tcp filtered telnet
80/tcp open     http
MAC Address: xx:xx:xx:xx:xx:xx (Cambridge Industries(Group) Co.)

Nmap done: 1 IP address (1 host up) scanned in 35.06 seconds
#

Both http and ssh seem open. Lets try ssh into the device. As expected the ISP has not changed the default passwords. User names and passwords were found in the devices manual, IE the factory defaults. I can log into the web page of the device, however its not very interesting

Logged in as root: ONT web interface

I think by looking at the file system later on there are different "views" the device can serve up, but no idea how that that is set.

So off to try ssh, lets see what happens. Yep, the default user name gets me into a shell. Not sure what we can do, since I don't have a CLI manual.

ONT>
ONT> help
ONT>

OK, thats not very helpful. Lets be creative

ONT> enable
#ONT>
#ONT help
  Description: CLI Root
    +traffic             Service CLI menu
    +system              System CLI menu

Help menu's now work, and we have access to the devices status and configuration options.

Enable mode, gee I wonder where they got that idea from. Under system I see lots of interesting things.

Lets first take a look into the "env" menu. If you want to dump the devices current configuration, and passwords in plain text run the following command.

#ONT/system/env>show cur

Very useful. Exit the "env" area by typing "exit"

Oh look what comes next a "shell" menu.

Lets enter the "shell" menu, by typing "shell" at the "#ONT/system/" level.

#ONT/system/shell>uname -a
Linux (none) 2.6.21.7-cig-64 #14 Tue Jun 7 14:16:20 CST 2011 mips unknown

Yeah, it runs Linux cool!

The "#ONT" prompt is somewhat annoying to use. Let see if busybox is around..

#ONT/system/shell>busybox
BusyBox v1.9.2 (2010-09-20 15:25:16 CST) multi-call binary
Copyright (C) 1998-2007 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

	BusyBox is a multi-call binary that combines many common Unix
	utilities into a single executable.  Most people will create a
	link to busybox for each function they wish to use and BusyBox
	will act like whatever it was invoked as!

Currently defined functions:
	[, [[, arp, ash, basename, bunzip2, bzcat, bzip2, cal,
	cat, catv, chgrp, chmod, chown, cksum, comm, cp, cut,
	date, dd, df, dirname, dmesg, dos2unix, du, echo, egrep,
	env, expand, expr, false, fgrep, fold, free, ftpget, ftpput,
	grep, gunzip, gzip, halt, head, hostid, hostname, id,
	ifconfig, inetd, init, insmod, install, ip, ipaddr, ipcs,
	iplink, iproute, iprule, iptunnel, kill, killall, length,
	linuxrc, ln, logname, logread, ls, lsmod, md5sum, mkdir,
	mkfifo, mknod, mktemp, modprobe, mount, mountpoint, mv,
	netstat, nice, nohup, od, pidof, ping, poweroff, printenv,
	printf, ps, pwd, readlink, realpath, reboot, rm, rmdir,
	rmmod, route, seq, sh, sha1sum, sleep, split, stat, stty,
	sum, sync, sysctl, syslogd, tail, tar, tee, telnet, test,
	top, touch, tr, true, tty, udhcpc, umount, uname, unexpand,
	uniq, unix2dos, usleep, uudecode, uuencode, vconfig, vi,
	wget, zcat

Bingo, we have a busybox shell, as you can see however its quite old and quite stripped down. This still won't get you out of the "#ONT" shell.

To get a real shell run :

#ONT/system/shell>sh

BusyBox v1.9.2 (2010-09-20 15:25:16 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

Lets take a look at the /etc/passwd file.

root:$1$$lIN11JVA8dIRivYzVSCAM1:0:0:root:/root:/bin/sh
ont:$1$0W32Tx87$1q2giRDPvyGZUYMn7YFqC/:500:500:Linux User,,,:/tmp/home/ont:/bin/sh
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
postgres:*:31:32:postgres:/var/lib/postgres:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
operator:*:37:37:Operator:/var:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
sshd:*:101:65534::/var/run/sshd:/bin/false
telnetd:!:102:102::/nonexistent:/bin/false```

OK so from reading the manual we know he "ont" user has a password of "ont" wow, much surprise. The ont user is pretty limited lets ignore it. Hang on a moment look at the root account, why is the shell "/bin/sh" but when we SSH in as root we get shunted to the "ONT" prompt.. Something does not add up.

Lets grab a copy of the /etc/passwd file. At this point the quickest way to get it is copy and past from the shell to a text file on my laptop. Note, this device does not have an "/etc/shadow" file, thus the password is stored in the passwd file. How very insecure, again.

Next up, lets run John the ripper at the /etc/passwd file we just copied. I will just use the default word list as I assume the vendor of the device is lazy.

$ ./john --wordlist=password.lst ont-passwd-file
Loaded 2 password hashes with 2 different salts (md5crypt [MD5 32/64 X2])
Remaining 1 password hash
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 100% 0g/s 6447p/s 6447c/s 6447C/s notused..sss
Session completed

$ ./john --show ont-passwd-file
root:111111:0:0:root:/root:/bin/sh

1 password hash cracked, 1 left
$

Good enough, there are only two accounts with passwords set, root and ont. You can now see that the root account has a different password.

OK, so now we can see the root user has a password of "111111" , how original.. This however differs from the manuals "admin" password.

Net up lets log in as the real root. Nope, denied. Dropbear must be doing something here to prevent the real root from logging in. Not sure what or how yet.

For now thats not important, I want a copy of the root file system and we can get still get a root shell via "#ONT" anyway. Lucky for us the vendor provides "pure-ftpd" binary under "/bin/"

Lets run that "/bin/pure-ftpd" By default, pure-ftpd should read user/pass combo's from /etc/passwd and /etc/shadow if present. Lets try log in as the real root via FTP. Successes we can log in, but wait we have been jailed to our home directory. Not much to see in /root/.

A small amount of security added to an overall insecure device.. yawn. I still want a copy of the root file system.

Simple, with the use of the "bind" mount option.

Enter the following in your root shell when logged in via SSH.

mount --bind / /root/

Now we have access to the root file system via our jailed home diretory. It is now a simple matter of using your favorite FTP client and log in as the real root to copy off the file system.

Do take note we also have around 1MB of "read-write" space mounted as "/mnt/rwfs". This allows us to run our own binaries if we like.

Hear is some details of the ONT.

CPU:

cat /proc/cpuinfo
system type                : Broadlight Jasmine (BL2348 Evaluation) board
processor                  : 0
cpu model                  : MIPS 24K V7.12
BogoMIPS                   : 297.98
wait instruction           : yes
microsecond timers         : yes
tlb_entries                : 16
extra interrupt vector     : yes
hardware watchpoint        : yes
ASEs implemented           : mips16
VCED exceptions            : not available
VCEI exceptions            : not available

Memory :

cat /proc/meminfo
MemTotal:        43648 kB
MemFree:         19864 kB
Buffers:          4064 kB
Cached:           9788 kB
SwapCached:          0 kB
Active:           7608 kB
Inactive:        11064 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        4832 kB
Mapped:           5704 kB
Slab:             2296 kB
SReclaimable:      504 kB
SUnreclaim:       1792 kB
PageTables:        356 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:     21824 kB
Committed_AS:     9596 kB
VmallocTotal:  1048404 kB
VmallocUsed:      2332 kB
VmallocChunk:  1045152 kB

File system :

# df
Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                   15504     15504         0 100% /
/dev/root                15504     15504         0 100% /
/dev/root                15504     15504         0 100% /dev/.static/dev
/dev/mtdblock1            1536       956       580  62% /mnt/rwdir
/dev/mtdblock2           15508     15508         0 100% /mnt/backupdir
/dev/root                15504     15504         0 100% /root
#

You can see from above, that last line is my "bind" mount of / to /root

Full dmesg log can be downloaded here

This just another reason why ISP supplied devices can not be trusted. The device also supports iptables so you could write some rules to help secure it. Just not 100% sure how to do that on the read only file system yet.

iptables version

# iptables -V
iptables v1.3.8
#

From the original nmap scan we can see that telnet is blocked. Hear is the iptables rules that take care of that. Oh no.... it would seem the vendor left telnet open on eth1 and ppp1. Sigh.

#ONT/system/shell>iptables -vL
Chain INPUT (policy ACCEPT 1906 packets, 149K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  ppp1   any     anywhere             anywhere            tcp dpt:telnet
    0     0 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            tcp dpt:telnet
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp dpt:telnet

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1098 packets, 149K bytes)
 pkts bytes target     prot opt in     out     source               destination

As a side note, I can not find the GPL source code on Alcatel-Lucent's web site. I have sent an email to the Software Freedom Conservancy to help raise awareness of possible GPL violations

Lastly, since there where no security screws in the deice here are some PCB images.

Top side: PCB top side

Underside PCB: PCB underside

I am pretty sure one of the pin headers would be a TTL serial out put since the kernel's boot cmdline has "console=ttyS0,115200n8".

I have root over SSH so not much point. Unless we want to load our own firmware onto the device. Given I want my 1 Gigabit fiber connection I won't bother with firmware hacking.