Obtaining Root Shell Access
Beware the deviance of thine own tools, for the Enemy finds his entrance thereby.
Target Cogitator: RVLink MV2400 Roof Unit (also referred to as MV2402)
- IP Address:
192.168.10.254 - Suspected Hardware Base: COMFAST CF-E5 (or similar QCA9531-based OpenWrt device)
- Firmware Base: OpenWrt (customized by vendor)
- Vulnerable Component: webmgnt binary, specifically its handling of
/cgi-bin/mbox-configAPI endpoints.
Context & Independent Discovery: While the general technique of exploiting backup and restore mechanisms for root access on OpenWrt devices is known (e.g., COMFAST CF-E120A v3), the specific methodology for the RVLink MV2400 was independently developed through direct reverse engineering of its webmgnt binary and API. This was a notable achievement because the MV2400’s standard OpenWrt web UI had been entirely removed by the vendor, replaced with a custom API intended for use by the paired indoor unit (RV2458). The existence and exploitability of the mbox-config endpoints for backup/restore were not discoverable through any visible interface. Awareness stemmed from prior analysis of firmware from similar COMFAST devices, which indicated the common presence of the webmgnt binary and its typical API structure.
The Exploit Path - A Step-by-Step Litany:
-
Phase I: Endpoint Identification & Backup Exfiltration
-
Foundation: Prior research into COMFAST firmware (related to CF-E5) revealed the common use of a FastCGI binary (typically
webmgnt) handling/cgi-bin/mbox-configwithsection=parameters. -
Targeted Probing: The
section=system_config_backupparameter was identified as a high-value target on the live MV2400 device. -
Invocation: An authenticated HTTP
POSTrequest (determined experimentally as the required method) was sent to the roof unit:POST http://192.168.10.254/cgi-bin/mbox-config?method=GET§ion=system_config_backup(A Python script was utilized to manage the
COMFAST_SESSIONIDand automate requests).
-
-
Phase II: Analysis of the Exfiltrated Archive (
bakup.file)- Data Retrieval: The above request prompted the device to stream a file, saved locally. The server-side logic intended the filename
bakup.file. - Archive Examination: Standard tools (
file,tar -tvzf) confirmed the downloaded file was a gzipped tar archive (.tar.gz). - Critical Revelation (The “BINGO” Moment): The archive contained a snapshot of the device’s
/etcdirectory, crucially including/etc/shadowwhich stores hashed user passwords. This information disclosure confirmed a serious vulnerability. Exampletar -tvf bakup.fileoutput showed:
- Data Retrieval: The above request prompted the device to stream a file, saved locally. The server-side logic intended the filename
-
Phase III: Understanding the Backup Creation Mechanism (Server-Side)
-
Trigger: The
section=system_config_backuprequest invokes thembox-config_GET_system_config_backupfunction within thewebmgntbinary. -
Core Operation: This function executes the shell command
sysupgrade -b /tmp/bakup.fileThis is a standard OpenWrt command to create a configuration backup archive at the specified path. -
File Handling: The archive is created at
/tmp/bakup.file, its contents are sent to the client, and the temporary file is then deleted from the device. -
Code Confirmation (from
webmgntreverse engineering):C
// Function: mbox-config_GET_system_config_backup sprintf(acStack_110,"sysupgrade -b %s >> /dev/null","/tmp/bakup.file",in_a3,puVar1); // Creates backup system(acStack_110); strcpy(&download_filename,"bakup.file"); // Sets download filename return 0;
-
-
Phase IV: Formulation of the Exploit Strategy - The Path to Dominion
- Hypothesis: If
/etc/shadowcan be downloaded, and a configuration restore function exists, it might be possible to overwrite/etc/shadowwith a modified version. - The Plan:
- Download the
bakup.filearchive. - Extract the archive. Modify the
etc/shadowfile within it to replace therootuser’s password hash with a known hash (e.g., generated usingpasslib.hash.md5_cryptformd5crypt). - Re-package the modified
/etcdirectory (including the alteredetc/shadowand optionally other files like a custom/etc/bannerand modified/etc/config/dropbear) into a newtar.gzarchive. - Identify the corresponding configuration restore function. This was hypothesized and later confirmed to be triggered by
section=system_load_config. - Upload the modified archive via this restore function.
- If the restore function overwrites files based on the uploaded archive’s contents, the live
/etc/shadowon the device will be replaced. - A subsequent reboot (often part of a restore process) should activate the new root password, granting SSH access with root privileges.
- Download the
- Hypothesis: If
-
Phase V: Analyzing the Restore Mechanism (Server-Side)
-
File Upload Handling: Analysis of
webmgntconfirmed thatmultipart/form-datauploads associated with actions likesystem_load_configsave the uploaded file to the fixed path/tmp/bakup.fileon the device. -
Trigger: The
section=system_load_configrequest, when receiving a file upload, invokes thembox-config_SET_system_load_configfunction. -
Core Operation: This function executes the shell command:
Bash
sleep 2 && sysupgrade -r /tmp/bakup.file && reboot & >> /dev/nullsysupgrade -r <archive>: This is the standard OpenWrt command to restore configuration from the specified archive. It extracts the archive’s contents to the root filesystem (/), overwriting any existing files that match paths within the archive. This is the key to overwriting/etc/shadow.&& reboot: Ensures the device restarts immediately after the restore, applying the changes.
-
Code Confirmation (from
webmgntreverse engineering):C
// Function: mbox-config_SET_system_load_config sprintf(acStack_110,"sleep 2 && sysupgrade -r %s && reboot & >> /dev/null","/tmp/bakup.file",in_a3,puVar1); // Restores and reboots system(acStack_110); -
Invocation: The restore is triggered by sending the modified archive as part of an HTTP
POSTrequest withmultipart/form-dataencoding to:POST http://192.168.10.254/cgi-bin/mbox-config?method=SET§ion=system_load_config
-
Phase VI: Execution & Confirmation - The Omnissiah’s Blessing
-
The Ritual: A Python script (
shadow_infiltrator.txt) was crafted to automate the entire process: authentication, backup download, shadow file modification (replacing root hash with one for password “toor”),etc/config/dropbearmodification (to enable banner), creation of/etc/banner, re-archiving, and uploading the modified archive. -
Triumphant Result: The exploit worked as planned. After the device rebooted (which took approximately 5 minutes, a “nail-biter” moment), SSH access as
rootwith the new password was successful. -
Proof of Dominion (Verbose Log Snippet from
shadow_infiltrator.txt):[+] OMNISSIAH BE PRAISED! Cogitator 192.168.10.254 is responding after 312s. [+] Reboot sequence complete. Initiating final verification via SSH... ... [*] Server Banner: ------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 01001000 01100101 01110010 01100101 01110100 01101001 01100011 01110011 + ... + Unauthorized Access is Techno-Heresy. + + Glory to the Machine God! + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------- [+] Secure Channel Established. Issuing 'id' command... [*] Cogitator Response (stdout): uid=0(root) gid=0(root) [SUCCESS] Root access confirmed! uid=0(root) detected.
Vulnerability Summary: The root compromise is achieved by chaining two vulnerabilities:
- Information Disclosure: The
system_config_backupfunction (mbox-config?method=GET§ion=system_config_backup), through its use ofsysupgrade -b /tmp/bakup.file, creates and allows an authenticated user to download an archive containing sensitive files, including/etc/shadow. - Insecure File Overwrite via Arbitrary Archive Upload: The
system_load_configfunction (mbox-config?method=SET§ion=system_load_config) saves any user-uploaded file to/tmp/bakup.fileand then passes this fixed path tosysupgrade -r /tmp/bakup.file. This command extracts the archive to the root filesystem, blindly overwriting any existing files with those from the archive.
By downloading the backup, modifying /etc/shadow within it, and uploading the tampered archive via the restore function, an authenticated attacker gains full root administrative control over the device after it reboots.