Hello,
During the preparation of flashing Redmi Router, the following command has to be used.
Though it was executed successfully, I would like to know the meaning of this command. Is there any reference explaining it?
Is that meaning to execute the script of the stock router and try to connect to another OpenWrt router through WiFi, something like that?
Thanks.
Welcome to the community!
Which make and model?
If you provide that information, someone could link the data sheet, ToH page or code commit which likely has those details. The person who discovered and added the procedure to the commit would know.
From a quick glance, it appears to enable an AP named op with a passphrase of 12345678.
Just curious, if you don't know what it does, how do you know it executed successfully?
The make and model is Redmi AX6.
According to the instruction, a message will be displayed in the browser showing that the execution was successful. (like this: {"token":"; nvram set ssh_en=1; nvram set uart_en=1; nvram set boot_wait=on; nvram commit; uci set wireless.@wifi-iface[0].key=mkxqimage -I; uci commit; sed -i 's/channel=.*/channel=\u0022debug\u0022/g' /etc/init.d/dropbear; /etc/init.d/dropbear start;","code":0})
Do you aware of any reference explaining the cgi scripts?
Thanks.
Yes, the Wiki page clearly state this enables SSH access:
No reference explaining it. That URL invokes proprietary vendor gui code within the LuCI webinterface. The OEM extended the webui with a custom HTTP endpoint (/api/xqsystem/extendwifi_connect_inited_router) which apparently triggers some sort of wifi reconfiguration.
It seems that the vendor failed to implement proper validation of the URL parameters and uses user-supplied values as-is as part of shell commands. This is a text book shell code injection vulnerability which is exploited to misuse the webinterface connect functionality to inject arbitrary commands, in this particular case a command to launch the built in SSH server.
The URL was likely figured out by disassembling or reverse engineering the vendor firmware image and reading the Lua code responsible for providing the ui HTTP endpoints.
The vulnerability is so obvious and easy to exploit that it almost looks like a deliberate backdoor, but never attribute to malice what can be attributed to sheer incompetence.
Thank you jow & lleachii
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.