* Posts by jamesmacwhite

2 publicly visible posts • joined 18 May 2017

We asked 100 people to name a backdoored router. You said 'EE's 4GEE HH70'. Our survey says... Top answer!

jamesmacwhite

There is also a hidden way to enable SSH (even after EE disabled it), Alcatel or EE have developed a button trigger that will enable the dropbear service.

If you hold the WPS button for 15 seconds or more and then release it, this triggers the following code:

#!/bin/sh

logger the button was $BUTTON and the action was $ACTION the time is $SEEN

if [ "$BUTTON" = "wps" -a "$ACTION" = "released" -a "$SEEN" -ge 15 ];then

logger enable dropbear the time is $SEEN

uci set dropbear.@dropbear[0].enable='1'

/etc/init.d/dropbear start

fi

This is present in /etc/hotplug.d/button/buttons on the router filesystem.

Someone goofed on the uci set, because uci commit is never called, but it starts the dropbear service anyway, so SSH access restored! You can then setup pub key authentication and disable the password auth option so the SSH access is secure.

The original report picked up hard coded sshpass commands that pointed at the modem side of the router (192.168.225.1), that too also have the same root password, although changing that is probably a bit riskier, given the binary has hardcoded references to it. You can however secure the router SSH without breaking anything.

Although the router modem has always been able to be accessed via SSH (still is), but instead of using the 192.168.225.1 IP, you'd use the IPv4 address assigned as displayed in web interface, usually 19.x.x.x something.

Dell BIOS update borks PCs

jamesmacwhite

Re: Dell BIOS update may be a security fix

It is, same for the slightly older 9550 model, though I applied the BIOS update only a few days ago and everything went OK.