Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tutorial] Reverse engineering a Hitron's CLI password
BTC Offline
Haxorware Enthusiast
***

Posts: 55
Threads: 5
Joined: Aug 2018
Reputation: 7
#1
[Tutorial] Reverse engineering a Hitron's CLI password
This tutorial will be a slightly more advanced intro to reverse engineering than my other tutorial about the Hitron's bootloader password.

On the Hitron CDA3-35 (and actually a lot more Hitron modems as well), when you attempt to access the shell or production commands from the Puma6 CLI (not to be confused with bash/sh) - it asks for a password!

[Image: GxeQbtZ.png]

The Puma6 CLI is useful for many things such as changing your MAC address, IP addresses, debug options, and more. That being said, I would really prefer access to it!

Let's figure out how to bypass this password.


Finding our target
The first thing we will do is find familiar strings, just like the last tutorial. The strings that we should be looking for are "Password:" and "Wrong password!".

To search for these, we must unpack the filesystem - this is outside the scope of this tutorial, so I will assume you have already done this.

[Image: zdrf4sp.png]

Using a program capable of searching the text in many files at once, such as Notepad++, search for these strings. You will find 1 file that contains both.

[Image: Si0scat.png]

So, our target is libcli_core.so.

Unfortunately, this won't be so easy as the last one were we could just crack the hash.
But, just for your own curiosity these are two hashes which were located nearby these strings:
f8010ce0f74f55de1dd99ae6745e9713 and 6b86849528dd3e92e7f1a95b8a7eb89e

[Image: W4Z63UX.png]
Unfortunately, there is no rainbow table results for either of these hashes...so we must do more work.


Reverse engineering libcli_core.so

Now, to get started with real reverse engineering.
We can't simply use Notepad for the rest of this tutorial - we're going to need something better: Ghidra.
Ghidra is a tool designed and released by the US National Security Agency.

You can download it from here:
https://www.nsa.gov/resources/everyone/ghidra/

If you are experienced already, you can use IDA Pro for this task as well - however I only have experience in Ghidra which is why we're using it here.

Step one is to import libcli_core.so into Ghidra.
[Image: IrMtPc3.png]

Open it up, and Ghidra will ask you if you want to analyze it: Select yes.
[Image: EezMpR1.png]
Leave the default options and hit Analyze.

Wait a few moments for the analysis to finish. Once it's done, let's search for those strings we found earlier.

Finding the function

[Image: V8Qf3KI.png]

Hit Search All, then let's check out the results!

This looks like the right one:
[Image: OJ6Pc06.png]

Analyzing the function - two for the price of one?!

Here's the function that we found:

[Image: AjznM0M.png]

There is two interesting parts to this function.

The first bypass
The first part opens the file "/nvram/mfg", and if it exists - it bypasses the password entirely!

So, if you hit CTRL+C and run
Code:
touch /nvram/mfg

then run cli again, and try to access Production....it works! It does not even ask you for the password.

However, from my analysis this section of code is actually not present on most older Hitron modems....what about that other function?

The second bypass
If that file doesn't exist, it asks the user for input, then inserts that input into a system call:

Code:
echo -n %s | md5sum | cut -d \' \' -f1

The %s is replaced with the user input.

This simply MD5s your input. After it runs that command, it compares the output of that command to the password hash we found earlier:
6b86849528dd3e92e7f1a95b8a7eb89e

If it's the same, you're in!

Unfortunately, we do not know the true value of this password - we only know the hashed value..which isn't enough.

........But wait, a system call?

The input for this password is actually unescaped. What we have found here is a arbitrary shell injection exploit.
Not only can we run shell commands from here, but we can manipulate the output of this command arbitrarily.

Let's just use this input:
Code:
6b86849528dd3e92e7f1a95b8a7eb89e ;#

The password is bypassed!

[Image: Y9rQ0Lj.png]

How does this work?

This is actually a rather simple bypass. Let's take a look at that original shell command:
Code:
echo -n %s | md5sum | cut -d \' \' -f1

Now, let's take a look at it with our command inserted for %s:

Code:
echo -n 6b86849528dd3e92e7f1a95b8a7eb89e ;# | md5sum | cut -d \' \' -f1

What we've effectively done is split up the command with ;, then commented out the rest of the command.

Effectively, we've deleted out the MD5 section of the command, so our input is directly correlated to the output. 
So, we just set the output to whatever it's expecting, and we're in!
We never even have to know what the true password is.

You can also insert more commands after ; if you wish, such as reboot, and it will be executed!


That concludes the analysis of this function. As you can tell, the function is really not secure at all and whoever wrote it probably should not be writing code for devices like modems.
(This post was last modified: 25-08-2019, 10:18 PM by BTC.)
25-08-2019, 10:13 PM
Find Reply
jeramy1time Offline
Junior Member
**

Posts: 2
Threads: 0
Joined: Sep 2011
Reputation: 0
#2
Wink  RE: [Tutorial] Reverse engineering a Hitron's CLI password
Thanks for the useful info..its great ppl showing how shit is done
25-08-2019, 10:50 PM
Find Reply
doctor Offline
Senior Member
****

Posts: 198
Threads: 11
Joined: Mar 2017
Reputation: 11
#3
RE: [Tutorial] Reverse engineering a Hitron's CLI password
thanks for the simplified tutorial . Keep it up.

26-08-2019, 03:07 AM
Find Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)