Hacking the La Fonera

Jan 31, 2007 - Preventing FON from executing code on your La Fonera# ... passphrase, you log in to your FON account and change the settings on their website. .... the command will break the hack); And since not much text is allowed in ...
Télécharger le PDF
164KB taille 33 téléchargements 343 vues
commentaire
Report
Hacking the La Fonera

1

I hope you'll find the information you need about prevent, fon and execute. Back to my Homepage

Hacking the La Fonera «

»

Did this site help you? Average rating (La Fonera): 2.70/3 (328 votes) comment?

Yes, a lot

Rate

The La Fonera is a wireless access point given away for free by FON» under the condition that you connect it and allow other users to use it. It is based on OpenWRT», but is locked down to prevent tampering with its software. However, it is possible to inject Shell code into the system as I found out together with Michael Kebe». Overview «

Note: As of 8th of november 2006, FON has fixed the bug in the web form, so

the method presented here does not work anymore. Of course, there is a new method# available to open your device. With firmware 0.7.1-2, this method has also been invalidated by FON. We are already preparing a new method, this time called "kolofonium", which will be the most advanced method (and the easiest one for you) yet. Devices that did not come with firmware 0.7.1-2 can simply be reset back to their default firmware and opened with the earlier methods, however Foneras with 0.7.1-2 preinstalled are appearing now. Please be patient, new instructions will be available shortly :-) Why we did it» The remote configuration method How configuration is done# Taking a look at the configuration retrieval# How code can be injected# Local code injections An injection method for firmware version 0.7.0-4 (codename: "grammofon")# A new local injection method suitable for firmware version 0.7.1-1 (codename: "fondue")# Preventing FON from executing code on your La Fonera# How FON performs firmware upgrades» La Fonera: Unscrewed - How to dismantle the device»

How configuration is done «

The La Fonera is a locked down system: Configuration is usually not done on

the real device, but instead it retrieves its setup data from the FON server. So to configure your network parameters like public and private ESSID or WPA passphrase, you log in to your FON account and change the settings on their website. During boot the boot sequence, the La Fonera then contacts the FON server and retrieves its network configuration. However, a web interface on the router to configure the device does exist as well.

http://stefans.datenbruch.de/lafonera/

01/31/07 21:09:58

Hacking the La Fonera

2

FON also made it impossible to flash a new firmware, since the firmware

binaries are signed: Firmware files not carrying the corrects signature are rejected by the system. Although FON has released the source code to the software running on the router, they are not forced to release the key necessary to run the software on their device. This is fine with GPLv2, and one of the main aspects that concern GPL version 3.

So exchanging the firmware is out of option, since there is no way of

uploading a working firmware image without posession of the correct cryptographic key: This has also been an issue with the TiVo digital video recorder.

Taking a look at the configuration retrieval «

During startup (and on a regular basis), the La Fonera "phones home" to

check whether configuration data has been changed. This is done using an SSH connection to "download.fon.com" on port 1937. You can check for yourself: stefan@nano:~$ telnet download.fon.com 1937 Trying 213.134.45.191... Connected to download.fon.com. Escape character is '^]'. SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4

Your router then proceeds to send some information identifying itself, including its MAC addresses and software versions:

mode='start' wlmac='WIRELESS MAC ' mac='LAN MAC ' fonrev='4' firmware='0.7.0' chillver='1.0' thclver='1.0' device='fonera'

In return, FON sends some shell code, including instructions how to configure the wireless devices (WPA passphrase, ESSIDs).

SSH is an excellent choice from FON's point of view, since it is relatively easy

to deploy in a noninteractive context, and provides an elegant way of avoiding spoofing: For the key of "download.fon.com" is stored on the router, we cannot simply proclaim to be that host it tries to contact and supply our router with our own shell commands.

Authentication is done using a secret key» stored on every router and inside

the source. However, the Dropbear SSH client is required to use it, OpenSSH demands a password for reasons unknown, while Dropbear does not. Using "dbclient" it is quite easy to establish a connection with the FON server and retrieve configuration data for our La Fonera: echo "mode='start' wlmac='' mac='' fonrev='4' firmware='0.7.0' chillver='1.0' thclver='1.0' device='fonera'" | dbclient -T -i key -p 1937 [email protected]

There is no reply, since we left both MAC adresses empty. If we'd use the addresses of an actual La Fonera, we probably would just get this:

http://stefans.datenbruch.de/lafonera/

01/31/07 21:09:58

Hacking the La Fonera

3

rm -f /tmp/.thinclient.sh exit

The file »/tmp/.thinclient.sh« is the location the output is stored and executed afterwards by the update script. So since FON decided that there is nothing to do, the script removes itself and exits.

If you changed some values in your FON web interface prior to retrieving the data, things will look different: If you change your ESSID, the commands for doing so are transmitted to your router by a bunch of shell commands:

# begin # setssidprivate awk -v cfgfile="/etc/config/fon" -v "updatestr=private.essid=YOURPRIVATEESSID" -f /usr/ lib/webif/uci-update.awk -f - > /etc/config/fon.new