Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Resetting Linux Passwords with U-Boot Bootloaders

Published: 2022-04-19
Last Updated: 2022-04-19 13:43:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Recently, I went shopping on eBay again. While I do not recommend using used equipment from eBay for production, surplus equipment can be a great opportunity to supplement a home lab. This time, I picked up a Netoptics Director including inline modules for about $100. Overall a pretty nice deal. Of course, equipment like this usually comes with no warranty, and vendor support can be spotty in particular as Netoptics now only exists as a part of IXIA and IXIA has been purchased by Keysight. I am not sure how long ago the Director line of equipment went "EOL" and was only able to find manuals on 3rd party websites. But making equipment like that work is part of the fun.

The device arrived and looked in reasonable condition and booted up. I was even able to get the serial console working on the first try (this unit had a DB9 serial connector which takes the guesswork out of which RJ45 adapter I need to use).

But... the default username password did not work (admin/netoptics). I also wasn't able to connect with ssh even though it looked like the unit using the default IP address (but maybe some filter was set up?). So my goal was to reset the password.

There are two passwords in play:

- The Linux user password. There are two users: root and "customer".
- The Netoptics password. After boot, the system started the custom software, and it maintains its own username/password combination. This is the password I needed to figure out at this point.

Most modern Linux systems use the grub boot loader. With grub, you are able to change kernel parameters during boot pretty easily. This system, like many similar "embedded" Linux systems, used u-boot, a different bootloader that works a bit "odd" (at least to me as a grub user).

You start the system and press any key early in the boot process. You are not presented with a u-boot prompt. Most guides suggest setting the "bootargs" variable at this point [1]. But this didn't work.

A bit about how u-boot works:

In u-boot, you set environment variables to commands, and then you execute the environment variable (at least that is my best understanding of the process). But this device did overwrite the "bootargs" variable as part of the bootup process.

A few different environment variables (= commands) are defined for different boot processes. They look all like:

cfcfboot=run setcfargs;ext2load ide 0:1 $loadkernaddr uImage;bootm $loadkernaddr

(there are different boot mechanisms. I am using the "cfcfboot" as a sample)

You now need to hunt the different variables references. Most importantly "setcfargs"

setcfargs=setenv bootargs root=/dev/$cfdrive rw ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:
off console=$consoledev,$baudrate $othbootargs

Note how it overwrites bootargs (setenv bootargs). But it offers a path to append your own parameters with "$othbootargs". So in the end, the solution was:

setenv othbootargs single init=/bin/sh
bootd

This got me into a single-user shell and allowed me to use the Unix "passwd" command to set the Linux user password for "root" and "customer". But I also needed to adjust the password for the Netopitcs application user. After a bit of hunting, I found this file:

/home/users/customer/cur_image/userHeader.xml

A simple XML file with clear text usernames and passwords (I redacted passwords and the one username that looked like the last name of one user, and was pretty unique)

<users>
  <user><name>admin</name><passwd>REDACTED</passwd><privilege>1</privilege></user>
  <user><name>operator</name><passwd>REDACTED</passwd><privilege>2</privilege></user>
  <user><name>anonymous</name><passwd>REDACTED</passwd><privilege>3</privilege></user>
  <user><name>REDACTED</name><passwd>REDACTED</passwd><privilege>1</privilege></user>
  <user><name>*admin</name><passwd>REDACTED</passwd><privilege>1</privilege></user>
</users>

So edit the file with vi, and I was ready to go.

Side note: PLEASE RESET EQUIPMENT BEFORE YOU SELL IT!!!

The system logs left on the device went back to 2008! The FTP daemon logs logged passwords in clear text as well (no surprise given that they were from 2008/2009). Aside from the fairly unique username, I didn't find any good indicator as to the organization the device came from, but not really sure I want to know. Just deleted the logs and well, got a decent tap for my home network now after I had a fan in my old Gigamon meet an untimely and very noisy death. The Netoptics device isn't quite as feature-rich, but works well for the home lab and may actually be a bit better (as it is simpler). 

A simple "reset to factory default" option should be mandatory. For Netoptics, I do see a "factory default" reset, but it will just reset the configuration, not remove any logs or saved configuration files. U-Boot has an EEPROM erase, but it will brick the device as far as I can tell. Boot loaders can be protected with passwords, but they would not protect unencrypted data on internal disks that can be removed and mounted on external devices.

[1] http://nerveware.org/u-boot-cheat-sheet/1.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)
Diary Archives