Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This router is publicly accessible from the internet, as well as its administrative functionality over IPv6. The firewalling worked fine over IPv4 but not on IPv6.

The second mistake is the amount of information that is leaked all over the place. There is password information hidden in log files, hardcoded SSL certs, and a pre-auth info leak in info.asp that discloses the telnet password and secret used for FTTH connection.

Next, there is a backdoor that allows the turning on of the telnet CLI(and changing the routing rules). Using this, an attacker could get access to telnet, without auth, from the public internet.

Additionally, the telnet CLI can be turned on via the web interface by using one of the 40 backdoor passwords that ISPs have access to. Hooray!

The telnet CLI even has a backdoor password itself. Additionally, the cookies of an ASP page is vulnerable to a buffer overflow. So, that is three different ways to enable the telnet CLI without having any knowledge of the password.

Once in the telnet CLI (not a true telnet but restricted), it is possible to setup an actual telnet connection on port 26 to turn on by running shell. Then, on the current connection, running tshell will elevate the privileges of the connection to root.

There are crazy amount of surface level bugs in this router. The article is a little hard to read (ordering and sparse explanations) but the content is quite awesome.