† Wolfgang H. Franke

feedback links search [web, newgroups] Heute heise.de wired.com webmail banking {jjaf-admin} spam-handling distributed.net-stats picture gallery internet-monitor

[counter]

jjaf.de/eci/hi-focus/atu-r

ECI Telecom Hi-FOCuS ATU-R telnetd

memory-patch to circumvent the login

telnet-access for version 4.19 by using the info what bit to patch in memory in the description Zugang zum "ANET_MAN>" Prompt mit vxgdb with wtxtcl-command wtxMemSet 0x00068b20 4 0x38600001 (li r3,1).

intro

Some versions of the device include an active telnetd, that is protected by an unknown authentication.

how does it look like?

The unit answeres port 23/tcp (telnet) probably showing telnetLib:


VxWorks <vxTarget>

login : target
password : ********
Login/Password incorrect
login :

Having the memory patched to circumvent the login, the output looks like this:


VxWorks <vxTarget>

login :
ANET_MAN >

At this point you should read the ANET_MAN/SU_MAN commands (CLI-reference).

There are five invalid login-attempts until the unit gives:

Logon  limit  exceeded, bye bye

Also, there is a login-timout of P5m:

Timeout expired, bye bye

When trying to open a second telnet-session the unit responds:

Busy with another client, try again later ...

According to the VxWorks Reference Manual 5.4 Edition 1 the login security facility is installed, so telnetLib uses loginLib:

This library provides a login/password facility for network access to the VxWorks shell. When installed, it requires a user name and password match to gain access to the VxWorks shell from rlogin or telnet.

[…]

The login security feature is initialized by the root task, usrRoot(), in usrConfig.c, if the configuration macro INCLUDE_SECURITY is defined. Defining this macro also adds a single default user to the login table. The default user and password are defined as LOGIN_USER_NAME and LOGIN_PASSWORD.

LOGIN_USER_NAME:LOGIN_PASSWORD are defined as target:password.

[…]

The name/password pairs are added to the table by calling loginUserAdd(), which takes the name and an encrypted password as arguments. The VxWorks host tool vxencrypt is used to generate the encrypted form of a password.

[…]

This can be done from the shell, a start-up script, or application code.

There is also a paragraph about the invalid-attemp-handling and the encryption algorithm:

The delay in prompting between unsuccessful logins is increased linearly with the number of attempts, in order to slow down password-guessing programs.

[…]

This library provides a simple default encryption routine, loginDefaultEncrypt(). This algorithm requires that passwords be at least 8 characters and no more than 40 characters.

The routine loginEncryptInstall() allows a user-specified encryption function to be used instead of the default.

memory-patch to circumvent the login

The wtxtcl-code for patching the telnetd-access is ready to work with any version. Use it with the jjaf.de ECI-ATU-memory-readout script-package, executing telnetd-patch.tcl instead of wtxtcl.cmd supplied with the package giving the following output:

jjaf.de ECI ATU-R telnetd-patch 1.0.0 (wtxtcl)
update on http://jjaf.de/support/eci/atu-r/telnetd/
---------------------------------------------------
registered targets:
{eci@station-5 tgtsvr rpc/station-5/192.168.20.5/570425345/1/tcp/1035}
{wtxregd@station-5 registry rpc/station-5/192.168.20.5/570425344/1/tcp}

connecting to eci: eci@station-5

model: Hi-FOCuS ANeT board - 850 SAR
memory: 0 + 4194288
CPU-type: 97
hasWriteProtect: 0
OS: type 1, version 5.4
bootline: 'cpm(0,0)ganesh:kuku g=192.168.20.10 e=192.168.20.80:ffffff00'

setting up code-signature
scanning memory for code-signature ...
changing 'li r3,0x0' to 'li r3,0x1'
{} 4 {00068b20} {38600000} {li r3, 0x0 (0)}

{} 4 {00068b20} {38600001} {li r3, 0x1 (1)}

exit.

This is currently untested with other than version 4.19 (ac218bu, ac220bu)! If you happen to test it on another version, report the result!

This work is licensed under a Creative Commons License Valid XHTML 1.0! Valid CSS! privacy policy