Monday, November 27, 2006

Updates explained and bridging mode

Yesterday I updated my La Fonera manually to version 0.7.1-1. There is an update available, which really flashes the La Fonera. The update of the autoupdate is just a gzipped tarball containing updated files. I updated it without flashing, so in case of any bricking stuff I can reset my La Fonera. Stefan is hosting information about it.

Finally the bridging mode with the private network works. It was really annoying that associated clients with the private network are masqueraded. Associated clients could access the LAN, but hosts of the LAN could not acces associated clients of the private signal.
With the bridging mode associated clients are in the same subnet of the LAN - no more masquerading is needed. The bridging mode only affects the private signal, the public FON hotspot still uses masquerading.

Frederik released a script for the bridging mode, but the FON hotspot did not function. I changed reworked it and now it works like a charm. Please start it manually and do not put it in /etc/init.d/. It possible it will not work with any version. It tried 0.7.1 rev 1 only.

Ok, here it is. You have to replace XX-XX-XX-XX-XX-XX with the MAC of the public FON hotspot! Please use it only if you know what you are doing.

#!/bin/ash
echo "Setting up LAN bridge"

# Kill DHCP server+ client
/usr/bin/killall dnsmasq
/usr/bin/killall -9 udhcpc

# create bridge interface
/usr/sbin/brctl addbr br0
/usr/sbin/brctl stp br0 off
/usr/sbin/brctl setfd br0 0

# shutdown/remove IPs from the old interfaces
/sbin/ifconfig eth0:1 down
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig ath1 0.0.0.0

# bring up the bridge interface
/sbin/ifconfig br0 up

# add the old interfaces to the bridge
/usr/sbin/brctl addif br0 ath1
/usr/sbin/brctl addif br0 eth0

# Set IP for the bridge
/sbin/udhcpc -i br0 -R # get new IP via dhcp
#/sbin/ifconfig br0 192.168.0.103 # static IP

# set firewall rules
iptables -A INPUT -i br0 -j ACCEPT
iptables -A OUTPUT -o br0 -j ACCEPT

# add bridge to hostapd.conf and restart hostapd (allows to use WPA)
[ `grep -c bridge=br0 /tmp/hostapd.conf` = "0" ] && echo bridge=br0 >> /tmp/hostapd.conf
/usr/bin/killall killall hostapd
/usr/sbin/hostapd -B /tmp/hostapd.conf

# stopping chillispot
/etc/init.d/N50chillispot stop

# bringing ath0 (hotspot interface) down
/sbin/ifdown hotspot

# bringing it manually up
wlanconfig ath0 create wlandev wifi0 wlanmode ap
iwconfig ath0 essid "FON_AP"
ifconfig ath0 up

# restarting dnsmasq but without dhcp
dnsmasq

# restarting chilli
chilli --dns1=192.168.1.222 --dns2=192.168.1.222 --radiusnasid=XX-XX-XX-XX-XX-XX --dhcpif ath0

# configuring iptables
iptables -R NET_ACCESS 6 -i br0 -j ACCEPT
iptables -R NET_ACCESS 7 -o br0 -j ACCEPT
iptables -t nat -R POSTROUTING 2 -o br0 -j MASQUERADE

Friday, November 24, 2006

La Foneras want an autoupdate

FON wants all La Foneras to update. Here is the shellcode to be executed:

cd /tmp
wget http://download.fon.com/firmware/update/0.7.0/4/upgrade.fon
/bin/fonverify /etc/public_fon_rsa_key.der /tmp/upgrade.fon

rm -f /tmp/.thinclient.sh

exit
It will upgrade the La Fonera to 0.7.1 rev 1.

Btw, if you want to have a look into the .fon files you can use this short unfonify.sh script:
#!/bin/sh
SIZE=$(du -b $1 | cut -f1)
tail -c $((SIZE-519)) $1 > $1.tar.gz
Usage: unfonify.sh upgrade.fon
It will cut off the first bytes containing the signature and generate a gzipped tarball, which you can easily extract.

WARNING: If you still waiting for your La Fonera and want to gain ssh access, you should NOT connect it to the internet. Just plug in the powercable, connect to the private network (the WPA key is the serial no.) and exploit it via the webinterface.

New Fonera Firmware v0.7.1 rev 1

As you can read on the german blog FON released a new firmware for the La Fonera. It's too bad they are not releasing the source along with it. I postet a comment on the blog, but it needs further aproval.

Among other things the changelog says:
"[Web interface] Corrected bug that caused a security problem when using strange characters on the forms."
We will see if FON fixed the holes to get into the blackbox.

Btw, yesterday we (Stefan and me) had a short meeting with Florian Forster in Cologne. He contacted us a few days after releasing our hack and is responsible for marketing in Germany. In the next days I will post a little bit about it. Here is a picture of his business card (of course some informations are disguised).

Monday, November 20, 2006

2nd Hack

BingoBommel released another hack without using the webinterface of Fon which is fixed anyway. He also offers two HTML files to make it very easy to start and open SSH.

BingoBommel uses one security hole, but there are more vulnerabilities in the webinterface of the La Fonera enabling code injection...

Wednesday, November 08, 2006

FON fixed it

It looks like FON has fixed their webinterface. It is no longer possible to submit manipulated ESSIDs to the remote configuration interface.

If you try it anyway, the section in the shell script is just gone. Same for the ESSID of your private network.

Tuesday, November 07, 2006

We did it, that's why

The release of "Hacking the La Fonera" set of an avalanche of discussions. To explain our motives we released "Hacking the La Fonera: Why we did it".

Feel free to post comments.

Sunday, November 05, 2006

Open your La Fonera

We decided to publish a guide to "open" your La Fonera. Stefan is hosting it here. You will find a detailed description of the remote configuration of La Fonera. Besides, a small Perl script is available to easily execute any shell code.

Saturday, November 04, 2006

So FON decided not to read the man page, which turned out rather nasty...

After a little bit experimenting and a short chat with Stefan Tomanek, we successfully injected some code into the La Fonera without opening it.

We are now able to connect via SSH (dropbear) to the La Fonera.

So guys, get yourself a free La Fonera (at least in germany)!

And thanks Stefan!

The SSH Connection

La Fonera uses the dropbear SSH client with public key authentication. The private key of La Fonera is available in the sources (/etc/dropbear/key) and here. It looks like every La Fonera uses the same private key with no passphrase. You can connect to download.fon.com and get the shell script (described earlier), if you type:

echo "mode='start' wlmac='FONERASWLANMAC' mac='FONERASETHERNETMAC' fonrev='4' firmware='0.7.0' chillver='1.0' thclver='1.0' device='fonera'" | dbclient -T -i PATHTOTHEPRIVATEKEY -p 1937 openwrt@download.fon.com

Fonera phones home

Fonera starts a small sript thinclient at every bootup and every hour. The thinclient connects via SSH to download.fon.com:1937 and sends its mac addresses and version. It gets back a shell script which is dropped at /tmp/.thinclient.sh. This shell script is executed by the thinclient. Fon could paste any code there and has full control of La Fonera...

Normally the shell script contains harmless code:

rm -f /tmp/.thinclient.sh
exit
But you can configure La Fonera via the webpage of FON. You can change the WPA key of the private WLAN, change the admin password, change the ESSIDs. If you do so the sended script looks different.

Updating your ESSIDs:
# begin # setssidprivate
awk -v cfgfile="/etc/config/fon" -v "updatestr=private.essid=YOURPRIVATEESSID" -f /usr/lib/webif/uci-update.awk -f - > /etc/config/fon.new <<EOF
BEGIN {
cfg = read_file(cfgfile)
print update_config(cfg, updatestr)
}
EOF
if [ $? -eq 0 ]; then
mv /etc/config/fon.new /etc/config/fon
ifup lan
else
rm /etc/config/fon.new
fi
# end # set ssid fonera

# begin # set ssid fonera
awk -v cfgfile="/etc/config/fon" -v "updatestr=public.essid=YOURPUBLICESSID" -f /usr/lib/webif/uci-update.awk -f - > /etc/config/fon.new <<EOF
BEGIN {
cfg = read_file(cfgfile)
print update_config(cfg, updatestr)
}
EOF
if [ $? -eq 0 ]; then
mv /etc/config/fon.new /etc/config/fon
iwconfig ath0 essid FON_'YOURPUBLICESSID'
else
rm /etc/config/fon.new
fi
# end # set ssid fonera
rm -f /tmp/.thinclient.sh
exit
Updating your WPA key:
# begin # setwpapassword
awk -v cfgfile="/etc/config/fon" -v "updatestr=private.password=YOURWPAPASSWORD" -f /usr/lib/webif/uci-update.awk -f - > /etc/config/fon.new <<EOF
BEGIN {
cfg = read_file(cfgfile)
print update_config(cfg, updatestr)
}
EOF
if [ $? -eq 0 ]; then
mv /etc/config/fon.new /etc/config/fon
ifup lan
else
rm /etc/config/fon.new
fi
# end # setwpapassword
rm -f /tmp/.thinclient.sh
exit

Playing with La Fonera

I will post here some informations I discovered while playing with "La Fonera".