White Hackers

Perusing the  release notes  for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) - Encrypts the configuration file. Having previously  reversed  their firmware obfuscation and  patched  their code to re-enable JTAG debugging, I thought that surely I would be able to use this access to reverse the new encryption algorithm used to secure their backup configuration files. Boy was I giving them way too much credit. Here’s a diff of two backup configuration files from the WRT120N. The only change made between backups was that the administrator password was changed from “admin” in backup_config_1.bin to “aa” in backup_config_2.bin: OFFSET backup_config_1.bin backup_config_2.bin ---------------------------------------------------------------------------------------- 0x00001468 9E 9B 92 96 91 FF FF FF |........| / 9E 9E FF FF FF FF FF FF |........| Two ...

With a good firmware  disassembly  and JTAG  debug access  to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating System. For security, the RTOS’s administrative web interface employs HTTP Basic authentication: 401 Unauthorized Most of the web pages require authentication, but there are a handful of URLs that are explicitly allowed to bypass authentication: bypass_file_list(“/cgi-bin/login /images/ /login…”); Full list of bypass files Any request whose URL starts with one of these strings will be allowed without authentication, so they’re a good place to start hunting for bugs. Some of these pages don’t actually exist; others exist but their request handlers don’t do anything (NULL subroutines). However, the /cgi/tmUnBlock.cgi  page does have a handler that processes some user data: cgi_tmUnBlock function handler The interesting bit of code to...