La Fonera: Firmware upgrades inspectedHow FON performs updates
After another CGI hack was published, FON pushed another upgrade through its command channel. The following shell code was to be executed on every device:
cd /tmp wget http://download.fon.com/firmware/update/0.7.0/4/upgrade.fon /bin/fonverify /etc/public_fon_rsa_key.der /tmp/upgrade.fon rm -f /tmp/.thinclient.sh exit
The upgrade procedure downloads the upgrade file and verifies its integrity using a public key present on every router. This is done to prevent code injection through the manipulation of DNS records. The program fonverify
also seems to be responsible for extracting and installing the upgrade file, which has the following format:
- The header string
FON
... -
...followed by either the number
3
or4
indicating the nature of the update:- upgrades tagged with
3
are complete new firmware images - upgrades tagged with
4
are only smallerhotfix
upgrades that just replace particular files
- upgrades tagged with
- The next number possibly refers to the size of the following cryptographic signature, until now we only encountered a value of
512
- The script/bin/fonverify
does not even read this value and assumes a signature value of 512 bytes - A 512 byte signature
- The rest of the file is a gzip compressed tar archive
You can simply skip the first 520 bytes (header and signature) and extract the attached archive with this command:
wget -q -O - http://download.fon.com/firmware/update/0.7.0/4/upgrade.fon | tail -c +520 - | tar xvfz -
I've also written a script called defon.sh
to extract FON upgrade archives.
The upgrade procedureemploys a script called upgrade
that is executed to perform the update. If a new firmware is included in the upgrade archive, it is flashed using the mtd utils, and if only a few files are to be changed, another included archive is extracted directly into the root directory.
Because of this fire-and-forget
nature of the upgrade procedure, downgrades are not possible under normal circumstances.
Inspected upgrades
-
0.7.1-2 → 0.7.1-3 (Browse contents)
- once again web interface modifications and various bugfixes
- no fix of the radius/dns entry point (kolofonium hack)
-
0.7.1-1 → 0.7.1-2 (Browse contents)
- more web interface modifications (possibly hardening the interface against injections)
-
0.7.0-4 → 0.7.1-1 (Browse contents)
- web interface modifications in response to a local injection hack
