In my previous post, I demonstrated how to gain root access by enabling a Telnet daemon via the routers AT-over-TCP interface. In this post I will close this gasping security hole by replacing the Telnet with a Secure Shell (SSH) daemon. Netgear’s firmware does not ship with a SSH daemon itself. So we first build a statically linked Dropbear instead of the rather heavy OpenSSH daemon.
Building Dropbear SSH
I’ve build a statically linked version of Dropbear using a Debian-based Docker image as it allows us to use the packaged cross-compiler toolchains by Debian:
Dockerfile
FROM debian:bullseye
RUN apt-get update && \
apt-get -y install \
wget tar bzip2 build-essential \
gcc-arm-linux-gnueabihf \
binutils-arm-linux-gnueabihf
RUN wget https://matt.ucc.asn.au/dropbear/releases/dropbear-2022.82.tar.bz2
RUN tar xvf dropbear-2022.82.tar.bz2
WORKDIR /dropbear-2022.82
ENV CC=arm-linux-gnueabihf-gcc
ENV CFLAGS="-DDROPBEAR_SVR_PASSWORD_AUTH=0"
RUN ./configure --host=arm-linux-gnueabhf \
--disable-zlib \
--disable-shadow \
--disable-syslog \
--disable-lastlog \
--enable-static
RUN make PROGRAMS="dropbear scp" MULTI=1
RUN arm-linux-gnueabihf-strip dropbearmulti
With this Dockerfile we can build the image, create a temporary container and copy the resulting binary from the image to your local folder:
docker build -t dropbear .
id=$(docker create dropbear)
docker cp ${id}:/dropbear-2022.82/dropbearmulti ./
docker rm ${id}
Installing Dropbear
Now that we have a statically linked version of the SSH daemon, we will need to copy it to our target. I accomplished this by using netcat (nc
):
On the target
mkdir -p /data/mod/bin
pushd /data/mod/bin
nc -l -p 1234 > dropbearmulti
chmod +x dropbearmulti
ln -s dropbearmulti dropbear
ln -s dropbearmulti scp
On the machine which build Dropbear
nc <ip-of-target> 1234 < dropbearmulti
This is followed by installing a SystemD service which start the SSH daemon on system boot:
cat > /etc/systemd/system/dropbear.service <<EOF
[Unit]
Description=Dropbear SSH server
After=network.target
[Service]
Type=forking
ExecStart=/data/mod/bin/dropbear -R
PIDFile=/var/run/dropbear.pid
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now dropbear.service
Before you will be able to connect to the target, you will need to install an authorized_keys file. Password login is not supported.
mkdir -p /home/root/.ssh
cat > /home/root/.ssh/authorized_keys <<EOF
ssh-rsa AAAAB3NzaC1...GaoxPrQ== # replace by your SSH key
EOF
All that remains is a quick test:
ssh root@<ip-of-target>
Disable SSH daemon
In order to restore the security of the device we must also disable the Telnet daemon. There are in principle two options to achieve this:
- Reverse the steps from my first blog post via the AT-over-TCP interface.
- Use the iptables firewall to block access to the Telnet port
I’ve decided to go for the second option:
cat > /etc/systemd/system/block-telnet.service <<EOF
[Unit]
Description=Block Telnet access
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/iptables -I INPUT -p tcp --dport telnet -j DROP
ExecStop=/usr/sbin/iptables -D INPUT -p tcp --dport telnet -j DROP
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now block-telnet.service