TP-Link configuration file decrypt

Sat, 31 May 2014 12:00:00 +0100

Some routers allow you to save and restore the configuration from a file locally. This is nice because by saving the configuration, altering the file and uploading it again, you can change settings not exposed in the interface.
For example, on my D-Link DSL-2640B I could disable a broken QoS which was slowing down the download speed just by setting X_BROADCOM_COM_ATMEnbQos to FALSE.

When I got a TP-Link wireless access point, I tried the same trick but found that they had started encrypting the configuration file, making it impossible to edit manually.

Hacking the OSBRiDGE 24XLGi

Tue, 06 May 2008 01:20:00 +0100

The target

A friend gave me an OSBRiDGE 24XLGi; its case had broken and it was no longer suitable for outdoor use.
The router is pretty locked down: a network scan doesn’t reveal any open ports other than the web interface, and connecting to the serial port reveals a crippled bootloader.
Firmware upgrades are done via the web interface, and the firmware is checked for integrity.

Finding a command injection

The web interface has the usual features found in a router, along with a “service” page which allows you to ping a host.
I suspected that it just execs ping via the system shell, but the hostname size is limited to 15 characters (12 numbers and 3 dots).
Nothing that can’t be cheated with the browser inspector, so I did it and tried to ping the hostname “192.168.1.129 ; ping 192.168.1.150”, with 192.168.1.129 being my notebook IP and 192.168.1.150 an unused one.

MIPS on Matteo Croce personal homepage

TP-Link configuration file decrypt

Hacking the OSBRiDGE 24XLGi

The target

Finding a command injection