Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[broadstairs]

I have been playing around trying to find out how the DSL-2740B router gets the connection up time to display on its web pages in the hope that Eric may find it useful. I have found the source for the frame and it contains several lines of javascript which look similar to:-

Code: [Select]

document.write("<%ejGetOther(sysInfo, conTime)%>");

and when you look at the source from the actual displayed frame in the browser it shows

Code: [Select]

document.write("41 days, 14 hours, 34 minutes, 43 seconds");

so the ejGetOther looks like it is running some kind of server side command/program which returns the time value. Does anyone recognise what this is or where I might find out about it? I am no javascript guru so any suggestions would be appreciated.

Stuart

[roseway]

Thanks for looking into this, Stuart. I know nothing about javascript unfortunately, but the first line you quoted looks like a function call, and I suppose you would need to locate that function to find out what it does.

[asbokid]

Hi Broadstairs,

This was posted to psidoc.com a few months ago [5]

The embedded webserver is mini-httpd by Jef Poskanzer. He released the source code for the daemon under a *BSD "do-as-you-please" licence [1] There is an extension to mini-httpd support server-side scripting. The scripts are very primitive - being pretty much limited to a single function call within the delimiters <% and %> These are vaguely similar to JSP/ASP.

As you've discovered, the server-side script functions are actually compiled into the binary of the httpd daemon.

The special symbols <% and %> are used to show where a server-side script function starts and ends. In between the <% and the %> is the function name, and the parameters to the function. Here's one example from your zip, in the resource cgi/cgi_dsl_status.js. It's entwined with Javascript..

var up_data_rate='<% CFG_GET(ADSL_UP_RATE); %>';

The server-side script function is CFG_GET and it has a single parameter ADSL_UP_RATE, probably an enumeration.

The web server has a script parsing engine. A resource (e.g. cgi_dsl_status.js) is requested through an HTTP GET or POST request. The HTTP server retrieves the resource from the local file system in the device. The resource is passed to the scripting engine for parsing. When the engine encounters those special symbols <% and %>, it invokes by name the function contained within the symbols. The return value from the function is substituted in the resource, and only then is the resource served up to the requestor.

That substitution would do something like this (where 1284 kbps is the upstream data rate obtained from the xdsl kernel driver):

var up_data_rate= '1284';

It's often possible to exploit this so that the web server will "execute arbitrary code". It's basically a cross-site scripting vulnerability. There's a glaring hole in the security of many of these Broadcom-based routers. Briefly, if the GUI has a web page where you can run a test that pings an IP address, it's sometimes possible to modify the URL so that instead of executing the ping command, it will execute whatever command you want. You could do all manner of nasties.. overwrite the nameserver settings etc..

Many of the server-side script functions work indirectly by invoking queries to a middleware server running on the device. That server retrieves the requested info from the relevant source, e.g. with requests for XDSL layer data, these will be obtained by way of an ioctl() call to the xdsl kernel driver. [2]

I've had a brief look through the static web resources for your device and can't immediately see any obvious holes that could be used to execute an arbitrary command, e.g. telnetd. That's not to say there aren't any holes though!

If there are any server-side scripts which execve() an arbitrary binary in the embedded file system (such as to test ping an IP address), then you can theoretically exploit that. [3] For example, you could temporarily re-mount your own file over the top of that binary or shell script to ensure that it is invoked instead. [4]

cheers, a

[1] http://www.acme.com/software/mini_httpd/
[2] http://huaweihg612hacking.wordpress.com/2011/09/18/patching-the-line-attenuation-bug/
[3] http://linux.die.net/man/2/execve
[4] http://fermilinux.fnal.gov/documentation/tips/mount-bind-chroot
[5] http://www.psidoc.com/showthread.php/635-busybox-quot-httpd-quot-help-needed-hacking-a-router

[broadstairs]

Thanks asbokid, I'll take a more in depth look later and see what I can find. Would be nice to be able to issue a command to get this since it is there somewhere for the web server to get the correct value.

Stuart

[asbokid]

Thanks asbokid, I'll take a more in depth look later and see what I can find. Would be nice to be able to issue a command to get this since it is there somewhere for the web server to get the correct value.

Hi Stuart,

Sorry, I didn't read what you said properly.

IIRC, the embedded web server, at least on the HG612 connects via a Unix socket/pipe/IPC to several different binaries in a middleware layer to obtain this sort of data.

That middleware polls the DSL driver in kernelspace to check the status of the DSL layer. If it is found to be down, the uptime counter is reset. So it would seem that the middleware maintains the connection uptime.

In the HG612 file system there is an XML-based MIB document tree called /etc/t_tree.xml.

It defines two Uptime nodes, one for system uptime, one for uptime of the WANPPPConnection.  The latter node looks like this:

<Uptime CMO="0x8000C50D" Type="VALUE_TYPE_ULONG" AppName="cms|cwmp" MaxLength="0" DefaultValue="0"/>

The AppName attribute defines two binaries concerning the WANPPPConnection Uptime object': cms and cwmp.

cwmp (or CPE WAN Management Protocol) is a component of TR069 remote management.
cms is apparently the binary for the 2Wire customer premises management system.

WIth no docs, neither binary wants to do anything very useful:

Code: [Select]

# cwmp --help
CWMP app version: V100R002C05B021 cwmp app V1.2.3.0.0
CWMP stk version: V100R002C05B021 cwmp stk V1.2.3.0.0
Not save certification!!!
ConfigDefaultSsl return: 0
^@

# cms --help
Failed in VTOP_MSG_Init!! ulRet = 0x8016801d

I've got a feeling there's yet another layer of middleware (at least on the HG612), and that is provided by a binary called MidServer.  MidServer (I suspect) proxies queries, reads that MIB file (/etc/t_tree.xml) and then calls the relevant binary to actually obtain the requested 'object' for the client.   Could be wrong though.

cheers, a