In a previous article, I explained how to get
root on the embedded Linux part of the Technicolor 7210 router by leveraging a remote code execution (RCE). This article on the other hand, will explain how one can leverage a “frontdoor” to gain the same level of access.
The TC7210 has two operative systems (OS), the eCos real-time OS, and a Linux based embedded OS. The eCos OS is responsible for managing all network functionalities as well as the Network Attached Storage (NAS) functionalities provided by the Linux OS.
For that to happen, the eCos OS needs to be able to communicate with the Linux OS. As discussed in the previous article, the
smbapp is the application responsible for managing the NAS functionality. A good indicator of how the application is receiving commands from the eCos OS is the fact that it listens on port
By revisiting the string analysis performed previously it was possible to find other interesting strings in the
smbapp application that indicated some sort of functionality to manage a Telnet server. The strings are:
smbapp: Launching telnetd. and
smbapp: Killing telnetd. It is possible to confirm this by loading
smbapp in a disassembler and searching for references to those strings.
The code above is contained in a function called
executeCommand which is called from a loop where the UDP packets to port
49182 are received.
The next step is to understand what is the format of the packet that needs to be sent to the
smbapp in order to start the Telnet daemon. The
executeCommand function is quite complex and has an awful amount of branching. As such it is easier to backtrack the flow of code execution taking into consideration all the branching that would lead to the Telnet daemon being launched.
From the flow of execution depicted above, we can see that the first word of the packet that needs to be sent is
0x107, the following word doesn’t really matter, and the last double word should be
With this information, the next step was to hack up a script that would send the right bytes to the listening socket of the
Using the script against the NAS functionality of the router, we get an awesome Telnet prompt. Further to the above, it is also possible to control an HTTP server (that exposes some CGI scripts), and whether the Linux OS responds to pings.
Hope this has been interesting and insightful!