General NAS-Central Forums

Welcome to the NAS community
It is currently Sat Nov 18, 2017 9:53 am

All times are UTC




Post new topic Reply to topic  [ 35 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri May 31, 2013 7:23 pm 
Online

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6072
Unless a very dull password is used, bruteforcing is not the way.

You can:
  • Let your script put a public ssh key in /root/.ssh/authorized_keys
  • Let your script change the root password. This can be done by a sed operation, or maybe by something like chpasswd, if available:
    Code:
    echo root:<passwd> | chpasswd
  • Provide your own (statically linked) telnetd, which supports an altenate login. (Which you of course exchange by a shell)
  • Chroot your filesystem tree, to find out the command line params of the provided telnetd. Maybe it has another way to use an alternate login.
  • If the box contains netcat, you might be able to build a poor mans telnet server:
    Code:
    nc -l -e /bin/sh localhost 23

The NsaRecueAngel password is on other ZyXEL boxes a hash on the mac address. Even if that is the case here it won't help, as it's shell is /bin/su, so it will ask for the root password anyway. (Unless you can change the shell, but in that case you can also change the root password.)


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri May 31, 2013 11:43 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
YES I'm in.

What I did was:
Change the pwd of NsaRescueAngel (this account is in the /etc/ssh/sshd.config (at the AllowUsers section).

echo "NsaRescueAngel:password" | chpasswd

Now I'm in as root. I see the file system is mounted as ro in the mtab changed that also..

Now setting sshd to run without USB stick...

Thanks for your help.


Last edited by roeby on Sat Jun 01, 2013 4:49 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Sat Jun 01, 2013 7:00 am 
Online

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6072
Congratulations!

roeby wrote:
I see the file system is mounted as ro in the mtab changed that also..
Be careful with that. I suppose the filesystem is on flash, and not intended to be rw. Some unwanted logfile or something like that could easily kill your flash in a few weeks/months.
You'd better intercept init, and do a switch_root to a harddisk or an USB stick if you want a rw filesystem.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Sun Jun 02, 2013 7:46 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
I'm trying to go for kexec. However the pkg's I find are not for glibc 2.2 which is the version that the NSA-2400 has installed. I'm now trying the tools from. opensource.zyxel.com don't know if these are usefull?


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Mon Jun 03, 2013 8:03 am 
Online

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6072
roeby wrote:
I'm now trying the tools from. opensource.zyxel.com don't know if these are usefull?
I don't know all devices there, but I think it contains only toolchains for Arm, PPC and Mips. Not x86.

But you don't need to compile it. You can simply chroot a working kexec/glibc combination.

You are aware that kexec needs kernel support?


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Mon Jun 03, 2013 8:55 am 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
I just saw the tools are not very usefull. Maybe I can change the bios setting to let it boot from USB. Or take a bootloader (like boot linus from linux) to make it boot from an other HDD. Multiple options I have to think about. I'm quit happy I can login as root and do much more than via the web admin. I'm also trying to use the IDE connector with a IDE HDD and CDROM. But it doesn't seem to work (be hacked out of the kernel, haven't checked yet). Problem is that all the stuff from this linux version is now not to be found (as it is 7 jrs. old I guess).
I just keep on posting my findings as they might be usefull for others that have a NSA-2400.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Mon Jun 03, 2013 9:22 am 
Online

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6072
I know the NSA2400 is EOS, but it won't hurt to just ask ZyXEL for the GPL sources. I have asked for the sources for several devices, so far, and always got it.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Wed Jun 05, 2013 9:06 am 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
Short update:

I can now extract the *.fwp files. Because I've got the routine for that:

#!/bin/sh

# security through obscurity
key_lookup ()
{
local KEYSTR="fuchsia"
local KEYPAD=${5:$(printf "\x${5:$(printf ${4:(-1)}):1}" | od -t u1 | head -n 1 | tr -s ' ' | cut -d ' ' -f 2):8}
echo "${KEYSTR}${KEYPAD}"
}


# determine firmware version of firmware upgrade file
# Version Format: a.b.c-d.e (Ex. 0.1.0-5.46)
# $MAJ_VERSION = a
# $MIN_VERSION = b
# $REL_VERSION = c
# $BUILD_NUM = d
# (Ingnore e now)
FW_VERSION=`dd if="\tmp\100AFA1C0.fwp" skip=32 bs=1 count=16 2>/dev/null`
MAJ_VERSION="${FW_VERSION%%.*}" # a
MIN_VERSION="${FW_VERSION#*.}" # b.c-d.e
MIN_VERSION="${MIN_VERSION%%.*}" # b
#REL_VERSION="${FW_VERSION##*.}"
#REL_VERSION="${REL_VERSION%%-*}"
#BUILD_NUM="${FW_VERSION##*-}"
REL_VERSION="${FW_VERSION%-*}" # a.b.c
REL_VERSION="${REL_VERSION##*.}" # c
BUILD_NUM="${FW_VERSION##*-}" # d.e
BUILD_NUM="${BUILD_NUM%%.*}" # d

# retrieve archive checksum and compute key
MD5SUM="`dd if=\"\tmp\100AFA1C0.fwp\" skip=48 bs=1 count=16 2>/dev/null | od -t x1 | head -n 1 | tr -s ' ' | cut -d ' ' -f 2-17 | tr -d ' '`"
KEY=`key_lookup "${MAJ_VERSION}" "${MIN_VERSION}" "${REL_VERSION}" "${BUILD_NUM}" "${MD5SUM}"`
echo dont tell but the key is $KEY

# retrieve firmware upgrade package
dd if="\tmp\100AFA1C0.fwp" skip=1 bs=128 2>/dev/null | openssl bf-cbc -d -pass pass:${KEY} -salt -out "/tmp/fwpackage.tgz" 2>/dev/null


exit 0
**********
You see it's (the passkey for the salted payload) got a fusciaxxxxx.

Looking in the extracted *.fwp files and the setup.sh I now know how the actual upgrade works. How ever the idea to set the BIOS to a lower lever that have boot from USB enabled can be executed because I'm missing the BIOS files in every and each firmware file.

Now:
The Ram drive is the device /dev/hdc containing 3 partitions the first beeing a MSDOS part made bootable with syslinux the syslinux.conf file sets the boot parameters. Don't now what the RAM drive actually is (maybe also a USB/CFcard build in or so)?

Now I've a bit scared to change that. Because I have no alternative to boot from and don't know whether I can reset the RAM drive to some factory default.

So second option, change the boot option:
I've connected a USB key board and with the SHIFT key can enter the BOOT: prompt of the SYSLINUX. At least i this it is.

I've put my initrd.img and kernel in the /dev/hdc1 partition of the RAM disk.

In the blind I'm now trying to boot from the new files.

With the command: : bzimage2 root=/dev/sde1 ro initrd=initrd2.img

Not yet successful, but only tried once then it was 1:00AM

If this fails I'm going to try the BIOS setting.

I Know the BIOS is phoenix technologies, ltd version: 6.00 pg, because the dmidecode command told me so...

Now proberbly with F12 or so with the USB keyboard I can set the BIOS (bus it can only be done in the blind).
Looks quite difficult (as I don't know the screens) but if I mess up it's easy to reset the BIOS values (reset swicht on the mainboard)

Also looking for a VGA connection. If I have visual in the BIOS I'm king. But I need a mainboard layout print for that I guess. Don't know if zyxel will hand them over.

So far....
.R.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Wed Jun 05, 2013 7:46 pm 
Online

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6072
roeby wrote:
I can now extract the *.fwp files. Because I've got the routine for that:
Good catch! I confirm it works.
Quote:
The Ram drive is the device /dev/hdc containing 3 partitions the first beeing a MSDOS part made bootable with syslinux the syslinux.conf file sets the boot parameters. Don't now what the RAM drive actually is (maybe also a USB/CFcard build in or so)?
Ram drive is a wrong name here, as Ram is volatile. It's a flash drive.
I think it's connected through the IDE bus, seeing it's name (hdc, master on second IDE chain). So that could be a CF card, or a disk on module. An usb device would have been sdx, I think.

If you can find the first IDE port, and connect a bootable disk to it, the box might boot from it. An other option is a (USB) floppydrive. According to the strings in the bios it's supported. But of course I don't know how the boot sequence in the bios is.
You could also try a bootable sata disk, but I don't think the bios supports it. No trace of it in bios strings, while I can find IDE. I think it's only handled by the Linux kernel.

Can you post a good photo of the motherboard? (You can put it directly in the wiki, if you like)


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Sat Jun 08, 2013 12:02 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
Hi there,

I've set the bios param "Boot other Device" to 'enable' with modbin6xx.exe to enable booting from USB,flashed it with flash_rom, pressed [ESC] at boot time, Typed [DOWN ARROW] 5 times (this is because it is then on the last entry of the boot menu (which is EXIT) the typed [UP ARROW], and [ENTER]. There's no display so believe me it's true (;->) I've more PC's and laptops and they have Phoenix Award bios (the name says Phoenix, but it's more Award. So take the Award bios tooling as they will read *.BIN files, Phoenix uses basically allways *.ROM type files)..

...long story short...
And it boots from the USB HDD (;->).

There was a risk at flashing the bios offcourse but I just took it (it was allready 2:30 AM so I was tired).

Now I'm installing a new server linux install on a USB disk. I don't need to buy a mini-pci VGA card (that was also an option as there is a mini-pci connector on the mainboard. I think this was meant to make the NSA-2400 WiFi enabled. I installed a WiFi card and the NSA booted so I think you can also put in a Mini-PCI VGA card e.g. from an old laptop price appr. 30-50 EURO.)

So I think we can say now the NSA-2400 can be "jailbreaked to the full extend".

Keep everyone posted with the findings, as I think no one has ever posted them before for the NSA-2400.

Now having it open, really adds a lot more value as you can run everything on it. I'm trying a recorder voor DVI and stuff, really cool.

And I don't know why these Zyxel people made it so difficult. Why not give the buyer an option (for the pro's only and with NO warrenty) to open the system really easy?


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Fri Jul 12, 2013 9:30 pm 
Offline

Joined: Thu Mar 01, 2012 1:07 pm
Posts: 5
Hey there,

I've just recently got an NSA-2400 and would be curious to know if you could put a little guide togeather on how you managed to SSH in with root access. I've read your posts but unfortunately I'm not sure how to replicate your results.


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Sat Jul 13, 2013 12:18 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
panicacid wrote:
Hey there,

I've just recently got an NSA-2400 and would be curious to know if you could put a little guide togeather on how you managed to SSH in with root access. I've read your posts but unfortunately I'm not sure how to replicate your results.


Best thing is to make the VGA connector or buy one, then you have a console with everything you can then alter the BIOS settings and reinstall an other linux disti on it.

Or create the USB stick.

First step is to make the mke2fs USB stick and make a link to the root file system on it.

But don't try it unless you know what you're doing. ;)


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Sun Jul 14, 2013 9:09 am 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
roeby wrote:
panicacid wrote:
Hey there,

I've just recently got an NSA-2400 and would be curious to know if you could put a little guide togeather on how you managed to SSH in with root access. I've read your posts but unfortunately I'm not sure how to replicate your results.


Best thing is to make the VGA connector or buy one, then you have a console with everything you can then alter the BIOS settings and reinstall an other linux disti on it.

Or create the USB stick.

First step is to make the mke2fs USB stick and make a link to the root file system on it.

But don't try it unless you know what you're doing. ;)


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Sat Jul 20, 2013 12:37 pm 
Offline

Joined: Thu Mar 01, 2012 1:07 pm
Posts: 5
Sorry did you say you can make a vga cable for them?! Do you have a link to more information on this?


Top
 Profile  
 
 Post subject: Re: NSA-2400 backdoor?
PostPosted: Sat Jul 20, 2013 1:36 pm 
Offline

Joined: Tue May 28, 2013 9:25 pm
Posts: 20
panicacid wrote:
Sorry did you say you can make a vga cable for them?! Do you have a link to more information on this?


Are you sure you can't order one anymore? look at: http://www.pccables.com/07129.html (they say they have 1200 pieces in stock) See al the pin settings also on this site...

No?

Hope you have a nice electronics shop in the neighbourhood (else get you components from: http://www.conrad.com)

If that's the case:
1) buy a VGA connector FEMALE;
2) buy a piece of flat cable (16p)
3) buy a connector 16P (IDC16) female;
4) the flatcable will fit in the connector nicely and when you close it it will connect
5) solder the pin 1-15 to the connector

That's it.

This is all not too difficult as long as you have a solderstation.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 35 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group