The new hack I've come up with can be found under the heading URL Injection near the end of the article which I hope I've explained clearly enough for those interested. The hack has been confirmed to work on both the NETGEAR and Sky firmware.
And to anyone thinking about posting this information on other forums...credit where credit is due.
Can you post further information on these AVM boxes you mention? I'm most intrigued.
Most of the support for these boxes is in German
However they use busybox and you used to be able to enable / disable telnet via a code sequence via a phone extension plugged into the box.
Later disabled but then enabled again by adding an entry in debug.cfg via the firmware upgrade screen.
The 7050 I have come in two version Annex B and Annex A
Internally the same but different software and users like swapping them from German to International versions and vis-versa. Plus changing Annex A to B and vis-versa
The new hack I've come up with can be found under the heading URL Injection near the end of the article which I hope I've explained clearly enough for those interested. The hack has been confirmed to work on both the NETGEAR and Sky firmware.
And to anyone thinking about posting this information on other forums...credit where credit is due.
Fantastic, URL injection worked a treat to get my username and password. I'm now connected using my old router (Draytek Vigour 2600we) which is 100% stable unlike this rubbish router Sky provided that keeps dropping its wireless.
Thank you Sir!
All of the above with latest firmware are ADSL2+ but have more problems making a connection than the Sky provided Netgear box.
Very interesting. Thanks for all of that info. I might look at these further.
As for why the Sky router is more stable than the Fritz Box, I honestly can't comment. Yes, Sky appear to be using a slightly different connection procedure than on the default NETGEAR router but I don't know enough about the differences to explain what they do and why.
Fantastic, URL injection worked a treat to get my username and password.
Glad it worked for everyone.
I'll update my article further over the coming weeks with some of the other notes I made during my experimentation. I should state that the URL injection hack isn't the only one I discovered but I'm going to keep the other one under wraps should NETGEAR/Sky decide to spoil everyone's party and patch these holes up.
Jose, the utelnetd's on each of the firmwares (native and sky) are identical.
Yup, they are. Which leads me to believe that the version of utelnetd on the Sky firmware may have been compiled differently.
Unfortunately, with /etc/passwd being read only, no amount of tinkering with the passwd command will add or alter OS level passwords on the router. Trust me, I've tried.
It's possible. I've seen small amounts of code commented out of a project and the compilation result be the same.
I've had a look at the code for utelnetd (do a google search for utelnetd.c and you'll find it easy enough) and I'm guessing the part which utilises a logon binary has been messed with. My theory is that the NETGEAR version ignores the logon binary whilst the Sky version does not. Unfortunately I'm not enough of a coder to comment further.
Done a fair bit in my time. Used to turn out C and COBOL for work, but that was some time ago. (Still do a bit of visual C++ on ms systems in my own time but corporate coding's not for me - too many standatrds to adhere to!)
Anyway, I suspect you're refering to cases where an optimiser is run - this can cause two different source codes to produce the same compiled code - though I've never come across it being literally indentical. Anyway, if they're the same daemons, they're the same whatever the source looked like. But...
You mentioned that there was a link /bin/login -> busybox? Well, I can't see this link in the netger fw. In fact, busybox on the netgear fw doesn't seem to support it. Possibilities?
Done a fair bit in my time. Used to turn out C and COBOL for work, but that was some time ago. (Still do a bit of visual C++ on ms systems in my own time but corporate coding's not for me - too many standatrds to adhere to!)
Indeed.
Anyway, I suspect you're refering to cases where an optimiser is run - this can cause two different source codes to produce the same compiled code - though I've never come across it being literally indentical. Anyway, if they're the same daemons, they're the same whatever the source looked like. But...
Without seeing the original source for either firmware version I guess we'll never know for sure.
You mentioned that there was a link /bin/login -> busybox? Well, I can't see this link in the netger fw. In fact, busybox on the netgear fw doesn't seem to support it. Possibilities?
Maybe. It's definitely only present on the Sky firmware from what I've seen so far (along with wget and a few other commands).
I'll post a full file listing tomorrow when I get a chance to hopefully aid us in opening this firmware up further. Oh and let's just say some interesting files were left behind by the NETGEAR/Sky coders in the Sky firmware that I'm pretty sure aren't supposed to be there (subversion project files).
Where can I find a fix for this? I have looked high and low and digitalspy and skyuser and cannot find anything.
If that was the case, you would have found your answer on the first page of this thread. The Telnet server on the Sky router has been locked out.
A work around can be found by using my URL injection hack as described in my post further up on this page. It doesn't give you complete access like Telnet access does but it's better than nothing. Enough for you to obtain your ADSL username/password among other things.
You mentioned that there was a link /bin/login -> busybox? Well, I can't see this link in the netger fw. In fact, busybox on the netgear fw doesn't seem to support it. Possibilities?
Well I've just completed a binary level comparison of utelnetd on both firmwares and they're completely identical. That said, whilst looking through each with a hex editor I've noticed that they both refer to /bin/login for their login handler. Now that to me suggests that the absence of this on the NETGEAR firmware and the presence of it on the Sky firmware is why the Telnet server behaves differently. According to the utelnetd documentation any absence of a login handler implies that the server will just start without authentication.
Well I've just completed a binary level comparison of utelnetd on both firmwares and they're completely identical. That said, whilst looking through each with a hex editor I've noticed that they both refer to /bin/login for their login handler. Now that to me suggests that the absence of this on the NETGEAR firmware and the presence of it on the Sky firmware is why the Telnet server behaves differently. According to the utelnetd documentation any absence of a login handler implies that the server will just start without authentication.
Absolutely - that's why the netgear fw doesn't ask for a login. Problem is, both the symbolic link and busybox are in read only memory which will make it tricky to stop /bin/login firing up (unless you know a way to stop it?). My line of thought at the moment is to recompile utelnetd and then to wget it to the router etc etc.
That or make use of utelnetd's -l argument that lets you specify a login handler. However I did briefly try this before publishing my hack and didn't have much success. Maybe I didn't give it an appropriate binary. I don't have access to my router at the moment but I wonder if the following might work?
Feed utelnetd the BusyBox binary directly as a login handler and see what happens. If it doesn't work I'm sure there are other binary candidates that might work.
Oh and here's a link to my dump of the filesystem on the Sky firmware. Might come in handy.
Feed utelnetd the BusyBox binary directly as a login handler and see what happens. If it doesn't work I'm sure there are other binary candidates that might work.
ROTFL So crazy, it might just work. If I had the source for utelnetd and time, I'd check to see what it expects the login handler to return. (0 and non-zero?) How about setting true (or false) as the handler? Busybox has both booleans, so that might work. I wouldn't be surprised if it denies login if the handler's not found.
EDIT: Cheers for the file system dump. Don't fancy doing the same for the netgear firmware do you?
ROTFL So crazy, it might just work. If I had the source for utelnetd and time, I'd check to see what it expects the login handler to return. (0 and non-zero?) How about setting true (or false) as the handler? Busybox has both booleans, so that might work. I wouldn't be surprised if it denies login if the handler's not found.
Well the source can be found here if you fancy a look. It'll mean more to you than me.
Comments
Put my sky one back and it connected 1st time at
DownStream Connection Speed 13966 kbps
UpStream Connection Speed 766 kbps
Automan.
NETGEAR DG834GT Hacking
The new hack I've come up with can be found under the heading URL Injection near the end of the article which I hope I've explained clearly enough for those interested. The hack has been confirmed to work on both the NETGEAR and Sky firmware.
And to anyone thinking about posting this information on other forums...credit where credit is due.
Most of the support for these boxes is in German
However they use busybox and you used to be able to enable / disable telnet via a code sequence via a phone extension plugged into the box.
Later disabled but then enabled again by adding an entry in debug.cfg via the firmware upgrade screen.
The 7050 I have come in two version Annex B and Annex A
Internally the same but different software and users like swapping them from German to International versions and vis-versa. Plus changing Annex A to B and vis-versa
External java apps have also been written to manage calls logged by the box JFRitz for example http://home.in.tum.de/~jensen/projects/projects_en.shtml
This forum http://www.ip-phone-forum.de/showthread.php?t=97250 has lots of users feedback etc on AVM fritz boxes.
You can buy a German Annex B box for a lot less than the English Annex A ones which is why I suspect people go for the pain of conversion.
Annex B boxes of course come with the wrong leads as I assume B is over ISDN rather than analogue "pots"
VOIP quality is as good as BT and I can call most of the planet for 1p per minute - Same call price to call next door as Sydney, AUS!
And to other VOIP users calls of course are free.
I have the following boxes...
International Fritz Box Fon Annex A
German Fritz Box FON 7050 Annex B which is now International Annex A
International Fritz Box FON 7050 Annex A
All of the above with latest firmware are ADSL2+ but have more problems making a connection than the Sky provided Netgear box.
However, I think when they do connect I get a slightly more stable less erratic internet access.
Automan.
Thank you Sir!
As for why the Sky router is more stable than the Fritz Box, I honestly can't comment. Yes, Sky appear to be using a slightly different connection procedure than on the default NETGEAR router but I don't know enough about the differences to explain what they do and why.
I'll delve further and find out what I can.
I'll update my article further over the coming weeks with some of the other notes I made during my experimentation. I should state that the URL injection hack isn't the only one I discovered but I'm going to keep the other one under wraps should NETGEAR/Sky decide to spoil everyone's party and patch these holes up.
Unfortunately, with /etc/passwd being read only, no amount of tinkering with the passwd command will add or alter OS level passwords on the router. Trust me, I've tried.
I've had a look at the code for utelnetd (do a google search for utelnetd.c and you'll find it easy enough) and I'm guessing the part which utilises a logon binary has been messed with. My theory is that the NETGEAR version ignores the logon binary whilst the Sky version does not. Unfortunately I'm not enough of a coder to comment further.
Anyway, I suspect you're refering to cases where an optimiser is run - this can cause two different source codes to produce the same compiled code - though I've never come across it being literally indentical. Anyway, if they're the same daemons, they're the same whatever the source looked like. But...
You mentioned that there was a link /bin/login -> busybox? Well, I can't see this link in the netger fw. In fact, busybox on the netgear fw doesn't seem to support it. Possibilities?
Without seeing the original source for either firmware version I guess we'll never know for sure.
Maybe. It's definitely only present on the Sky firmware from what I've seen so far (along with wget and a few other commands).
I'll post a full file listing tomorrow when I get a chance to hopefully aid us in opening this firmware up further. Oh and let's just say some interesting files were left behind by the NETGEAR/Sky coders in the Sky firmware that I'm pretty sure aren't supposed to be there (subversion project files).
I have got a bit lost looking in the haystacks for an answer, to the TELNET issue.
When you type Telnet 192.168.0.1 at a CMD prompt it asks for a login.
Where can I find a fix for this? I have looked high and low and digitalspy and skyuser and cannot find anything.
A work around can be found by using my URL injection hack as described in my post further up on this page. It doesn't give you complete access like Telnet access does but it's better than nothing. Enough for you to obtain your ADSL username/password among other things.
Feed utelnetd the BusyBox binary directly as a login handler and see what happens. If it doesn't work I'm sure there are other binary candidates that might work.
Oh and here's a link to my dump of the filesystem on the Sky firmware. Might come in handy.
Sky Filesystem Dump (210KB)
EDIT: Cheers for the file system dump. Don't fancy doing the same for the netgear firmware do you?
http://www.pengutronix.de/software/utelnetd/
I believe NETGEAR are using version 0.1.2 from what I've read elsewhere.
Done.
NETGEAR Filesystem Dump (50KB)
As you can see it's a lot smaller without all the Subversion junk.
Running my compiled version as follows on my Linux workstation bypasses the login process and drops you straight to a shell:
Care to try it on the Sky router with the following?