So, I've been trying to find an exploit in the 2-wire modem I received. In my journeys, I found one guy who has already done a lot of work on it. His blog is here
Now, here is a quick summary:
- It uses a TriMedia SoC with a proprietary instruction set
- It uses some kind of *nix
- It has an SSH server, but it ships disabled
- It has an exposed JTAG connector, but it's very involved to try to get anything out of it.
He's ran arbitrary code on it, but he's failed at flashing it so that it uses it's standard firmware, but with sshd enabled.
So, I'm now refocusing my efforts on finding an external (black-box) exploit against the DNS and HTTP servers. I've been poking around the HTTP server, trying to find a simple command-injection type exploit, but even where it looks like it should work, it just doesn't. This seems quite hardened. The only significant thing I've forced it to do is to run out of memory (apparently the HTTP server doesn't have a maximum request size)
The DNS server, however, I've already found a bug with. It apparently doesn't clear the response memory properly... So, if I go to facebook.com and then I go to the DNS server and send an invalid commmand, it'll send back a garbled response with a mention to facebook.com. That's a pretty scary privacy flaw heh. It also has recursion disabled, so the DNS server seems quite weak, but I've never tried to exploit DNS