dx4.org :: security :: raritan

10/Jan/2005 08:29
Category: /security Hacking the Raritan IP Reach by Elliot

"IP-Reach (formerly TeleReach) is the fastest, most secure way for one or more users to remotely access and manage multiple servers and other IT devices from any PC that is running a standard web browser."

So says the Raritan website. Any PC running a standard browser? In other words, any Windows machine running a browser capable of running ActiveX controls. This is ironic, of course, considering that the IP Reach itself is just a Linux box, albeit a very locked-down one.

Here's how to get in:

Method One

  1. Log into the IP Reach console
  2. Select the Diagnostics option
  3. Type the following: ping;$'\163\163\150\144'
  4. Connect to the IP Reach's IP address via SSH
  5. Log in as root, with password raritan
Explanation
The Diagnostics console is a poorly-designed wrapper around the UNIX shell. It only allows you to execute a few real commands, but neglects to filter out shell special characters like the semicolon and dollar sign. Just doing ping;ls won't work, though, because everything after the semicolon gets converted to uppercase for some reason. Doing ping;$SHELL is no good either, because while the shell will run, the console doesn't give you direct input and output for the commands you run - it waits for the command to exit and then prints its output. Fortunately, the shell in question is bash, which allows you to encode octal characters with a special syntax that uses no lower-case letters. \141 is 'a', and \172 is 'z', for example. The command we're running above is 'sshd'. The root password was a lucky guess.

Method Two

  1. Reboot the IP Reach (flip the switch on the back twice)
  2. Tap the Shift key repeatedly while the unit powers on
  3. At the LILO menu, type the following: Booting single
Explanation
The IP Reach boots LILO off a tiny internal hard drive and then runs from an initrd image. While Raritan has taken care to disguise the boot process, you can still interrupt LILO and alter the kernel command line to drop you to a shell instead of booting normally. Since only a shell starts, you'll have to do more work to get anything useful done than with the above.

Once you're in, what can you do? As I said, the root filesystem is a ramdisk, so while you can change things to your heart's content, none of them will survive a reboot. You need to modify the initrd image itself. You can't do it on the IP Reach since the RAM and hard drive are too small to hold a second uncompressed copy of the disk, so you'll need another UNIX machine.

Doing this will probably void your warranty, and maybe break your IP Reach and do any number of other unpleasant things. Proceed at your own risk.

  1. Mount the internal hard drive
    mkdir /mnt/tmp; mount /dev/hda1 /mnt/tmp
  2. From another machine, copy off the initrd
    sftp root@ipreach:/mnt/tmp/boot/initrd.img
  3. Uncompress the initrd
    mv initrd.img initrd.gz; gunzip initrd.gz
  4. Mount it
    mkdir /mnt/tmp; mount initrd /mnt/tmp -o loop
  5. Make your changes
  6. Unmount
    umount /mnt/tmp
  7. Recompress and rename
    gzip -9 initrd; mv initrd.gz initrd.img
  8. Copy it back to the IP Reach
    sftp initrd.img root@ipreach:/mnt/tmp/boot/initrd.img
  9. On the IP Reach again, unmount the hard drive
    umount /mnt/tmp
  10. Reboot the IP Reach

Unfortunately, I've still been unable to figure out how to get a Linux client to work with the damn thing. Anyone with protocol information, etc., please drop me a line at borked at dee ecks four dot org.