[讨论] 预警！斐讯K1 PSG1208路由器原厂固件存在高危漏洞！

[复制链接]

510695678

46 回帖	589 积分	187 小时在线时间

中尉

注册时间: 2011-7-7

金币: 479 个

威望: 8 个

荣誉: 0 个

发消息

尚未签到

发表于 2016-2-10 03:56

本帖最后由 510695678 于 2016-2-10 13:18 编辑

这个算不上高危的，下载配置文件的前提是你知道密码连上wifi，
更新一下：
（管理员密码是base64加密保存的，比如admin加密后是YWRtaW4=
可以轻松解密http://tool.chinaz.com/tools/base64.aspx）

上传上网记录应该是存在的，至于什么时候上传就不知道了。

这个路由使用nvram保存配置的，nvram show可以查看配置，

linux系统开机会先先执行 /sbin/init，一堆程序中会启动一个cathpkt的程序
# grep cathpkt /sbin/init
start_cathpkt
stop_cathpkt
insmod /lib/modules/cathpkt.ko
cathpkt &
killall cathpkt

# grep cat /sbin/dev_init.sh
mknod /dev/cathpkt c 206 0 -m 622

加载了/lib/modules/cathpkt.ko内核模块创建/dev/cathpkt设备
后台运行cathpkt

这是cathpkt这个程序的明文字符串

.rodata:00404508 0000001E C %02d-%02d-%02d %02d:%02d:%02d
.rodata:004044E8 0000001E C %02x:%02x:%02x:%02x:%02x:%02x
.rodata:004041FC 0000000D C %Y%m%d%H%M%S
.rodata:0040448C 00000024 C %[^:]:%[^:]:%[^:]:%[^:]:%[^:]:%[^:]
.rodata:00404628 00000013 C %s error code: %d\n
.rodata:004044B0 0000000D C %s%s%s%s%s%s
.rodata:0040452C 0000000D C %s;;;%s;%s%s
.rodata:0040485C 00000006 C %s=%s
.rodata:004041C0 0000000B C %s[%u] %s\n
.rodata:00404224 00000011 C %s_SN0000_%s.tar
.rodata:00404350 00000011 C %s_SN9999_%s.tar
.rodata:004042D8 00000012 C -->data file=[%s]
.rodata:00404478 00000011 C -->file size=%ld
.rodata:004041CC 0000000D C /dev/cathpkt
.rodata:00404850 0000000B C /dev/nvram
.rodata:004044D0 00000006 C /tmp/
.rodata:004042D0 00000008 C /tmp/%s
.rodata:0040420C 00000017 C /tmp/%s_SN0000_%s.data
.rodata:00404460 0000000D C /tmp/cathpkt
.rodata:00404408 0000000D C 001122334455
.rodata:00404238 00000021 C 0123456789ABCDEF0123456789ABCDEF
.rodata:00404744 00000005 C CWD
.rodata:00404610 00000015 C Can not send message
.rodata:004046E0 0000003D C Can not use PORT mode!Please use "mode" change to PASV mode.
.rodata:00404664 00000020 C Can't connet to the ftp server!
.rodata:0040480C 0000000F C Connect error!
.rodata:00404780 00000018 C Creat data socket error
.rodata:0040463C 00000013 C Creat socket error
.rodata:0040481C 00000011 C Invalid address!
.rodata:00404830 0000000E C Invalid port!
.rodata:00404798 00000010 C Open file error
.rodata:004045EC 00000006 C PASS
.rodata:00404690 00000005 C PASV
.rodata:00404698 00000017 C PORT %s,%s,%s,%s,%d,%d
.rodata:00404600 00000010 C Password error!
.rodata:0040473C 00000005 C QUIT
.rodata:0040474C 00000006 C STOR
.rodata:00404754 00000007 C TYPE I
.rodata:004047C8 00000019 C The PORT mode won't work
.rodata:004045E4 00000006 C USER
.rodata:004045F4 0000000C C User error!
.rodata:004045B8 0000000F C calc_file_size
.rodata:004041E4 00000016 C can not find dev :%s\n
.rodata:004045A0 00000015 C cathpkt_writePktinfo
.rodata:00404380 0000002C C cd /tmp/ && rm *.tar *.data -rf && touch %s
.rodata:0040425C 00000073 C cd /tmp/ && rm -rf *.tar && openssl enc -aes-128-cbc -in %s -out %s -k %s && tar -zcf %s %s && rm -rf %s %s *.data
.rodata:00404550 0000001B C could not open tmp file %s
.rodata:0040457C 00000010 C create_tar_file
.rodata:0040475C 00000022 C error create new_sock in put port
.rodata:00404364 0000001B C file upload will be empty!
.rodata:0040453C 00000013 C file:%s not found.
.rodata:00404348 00000008 C ftp bye
.rodata:00404304 00000009 C ftp init
.rodata:00404310 0000000A C ftp login
.rodata:00404340 00000008 C ftp put
.rodata:00404840 0000000A C ftp_close
.rodata:004047F8 00000012 C ftp_srvname=[%s]\n
.rodata:0040431C 00000022 C function[%s] line[%d] errno=[%d]\n
.rodata:00404594 0000000C C get_wan_mac
.rodata:004041DC 00000008 C len:%d\n
.rodata:00404720 00000009 C listen()
.rodata:004047A8 0000001E C local file %s doesn't exist!\n
.rodata:004044C0 00000010 C mac string=[%s]
.rodata:00404418 0000000E C mac_addr=[%s]
.rodata:0040458C 00000005 C main
.rodata:00404470 00000005 C null
.rodata:004043EC 0000001C C nvram get et0macaddr error!
.rodata:00404684 0000000B C send error
.rodata:004046D4 0000000B C set socket
.rodata:004046BC 00000018 C set socket %s errno:%d\n
.rodata:00404650 00000011 C set socket error
.rodata:004046B0 00000009 C socket()
.rodata:004042EC 00000016 C target directory=[%s]
.rodata:004044D8 0000000B C tmpcathpkt
.rodata:004043AC 00000017 C upload filename error!
.rodata:00404444 0000001A C upload time interval=[%d]
.rodata:00404428 00000019 C upload time set default.
.rodata:00404570 0000000C C upload_data
.rodata:004045D0 00000012 C upload_ftp_passwd
.rodata:004047E4 00000012 C upload_ftp_server
.rodata:004043C4 00000019 C upload_ftp_time_interval
.rodata:0040472C 00000010 C upload_ftp_user
.rodata:004043E0 0000000B C wan_hwaddr

复制代码

运行以后会创建/tmp/cathpkt 明文文件，用来保存上网记录，如果想查看直接cat /tmp/cathpkt
压缩前使用openssl 加密（openssl enc -aes-128-cbc -in %s -out %s -k %s）
文件名 /tmp/时间戳_SN0000_MAC地址.tar

如果想查看压缩后的文件
先解压
tar zxf 20160114XXXXXX_SN0000_XXXXXXXXXXXX.tar
得到 20160114XXXXXX_SN0000_XXXXXXXXXXXX 继续解压
tar xf 20160114XXXXXX_SN0000_XXXXXXXXXXXX
得到20160114XXXXXX_SN0000_XXXXXXXXXXXX.data
使用openssl解密成222.txt
openssl aes-128-cbc -d -k 0123456789ABCDEF0123456789ABCDEF -in 20160114XXXXXX_SN0000_XXXXXXXXXXXX.data -out 222.txt
cat 222.txt可以查看

默认nvram配置包括ftp账号密码在/lib/libshared.so里面

初始化后保存在nvram里面
# nvram show | grep ftp
size: 12081 bytes (20687 left)
upload_ftp_server=soho.wifibase.ftp.phicomm.com
upload_ftp_user=ftpuser
alg_tftp_enable=1
upload_ftp_passwd=feixun*123
alg_ftp_enable=1

关闭cathpkt
killall cathpkt
删除cathpkt
rm /bin/cathpkt
卸载模块
rmmod /lib/modules/cathpkt.ko

这样可以临时关闭，但是系统采用的ramfs，重启就会恢复

暂时解决方法：
把nvram配置里的服务器、账号、密码改成错误或不存在的
nvram set upload_ftp_server=xxx.com
nvram set upload_ftp_user=xxx
nvram set upload_ftp_passwd=xxx
保存
nvram commit