LaFonera: Hacks for shell access
The subsidised WLAN router from FON has long been a target for hackers attempting to inject their own applications on the inexpensive platform or even to switch out the entire firmware. FON tries to bar the door by bulk heading the router against external access: users are not provided Telnet, SSH or web access to the router. FON's servers alone can access the router via SSH as part of configuration duties. Two students, Stefan Tomanek and Michael Kebe, now claim to have succeeded in gaining shell access to one of the devices.
To do so they worked with a vulnerability in the processing of parameters in shell scripts that are transmitted by FON with each reboot. Among other items, the user-defined ESSID is added into the start script – within quotation marks. Instead of the ESSID, however, external shell commands can be planted there and are then executed when the router adds in additional quotation marks as part of its normal procedure. Yet there are additional hurdles to getting the router to that point. The students moulded the results of their efforts into a Perl script that starts the SSH server on the router and hence allows for direct access to additional configuration settings.
Hence access to the new FON model "LaFonera" is only possible for those users who find hardware tinkering heavy going. Because "LaFonera" already offers a serial connection through which one can communicate with a console. A level convertor is needed, as is the nerve to crack open the case. The predecessor model of the FON router, based on the Linksys WRT54G, was also relatively vulnerable to the injection of new firmware.
- Hacking the La Fonera, directions from Stefan 'tommie' Tomanek