Finding a back door
A quick port-scan looking for open ports showed nothing of interest. Searching through all of the standard menus was fruitless as well. It was time to get creative.
A standard technique for accessing the internals of device such as these is to look for back doors. Developers of these devices need easy visibility into the running system and often leave a way to get in or to run tests. Sometimes this requires special development hardware, but it is also common for developers to get into the device through the a network connection.
The obvious place to start looking was in the web interface. I had noticed that all of the Administration menus were in a web subdirectory named Management. Since I knew that webservers can provide a listing of the contents of a directory depending on the webserver configuration, I decided to try this simple exploit by typing http://192.168.3.77/Management/ into my web browser. Bingo! I was rewarded with a complete listing of all of the files in the directory.
Ed. Note: This directory listing ability has been removed as of the V2.3R25 NSLU2 firmware
Included in the list of jpg and html files was a little gem called telnet.cgi. Step one complete. A potential back door discovered. Execution of the script showed the following screen:
Figure 2: Telnet enable screen
Disregarding the warning, I pushed the "Enable Telnet" button. The web page refreshed and I was greeted with the same screen except the message indicated that Telnet was now enabled! One step closer...