CentOS - Aug 2006 - GSM back door to shell with Centos and Palm handhelds

Hi folks,

Don't know if it could be interesting or not, even useful, but past days
i was spending my time trying to use an old gsm motorola v150 mobile
phone to get access to my host from my palm device with pssh
(http://www.sealiesoftware.com/pssh/), these are the steps i did to
accomplish it, feel free to suggest or improve it, anyway i found it
usefull.

First, this motorolla has an usb interface to the host, it's quite
simple to attach the phone to the host running CentOs, i dont like very
much usb 'things' but things are like this... anyway, if you do so
you'll notice in syslog:

<...>
Aug  8 20:54:13 spoolbox kernel: cdc_acm 1-2:1.0: ttyACM0: USB ACM
device
<...>

Don't know other mobile phones with an usb interface but it could be
similar in others with an operational modem (i have to admit that im not
an expert in GSM neither telephony...)

Anyway, if you inspect the usb line, you can see:

[root at spoolbox crash]# cat /proc/bus/usb/devices
...>
T:  Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#=  9 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=02(comm.) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=22b8 ProdID=3802 Rev= 0.01
S:  Manufacturer=Motorola Inc.
S:  Product=Motorola Phone (V150)
C:* #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr= 20mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=01 Driver=cdc_acm
--------------- !!!!!
E:  Ad=89(I) Atr=03(Int.) MxPS=  16 Ivl=10ms
I:  If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_acm
--------------- !!!!!
E:  Ad=01(O) Atr=02(Bulk) MxPS=  16 Ivl=0ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  16 Ivl=0ms
...>


Then, in /dev you will have:

[root at spoolbox crash]# l /dev/ttyACM0
crw-------  1 root root 166, 0 ago  8 20:54 /dev/ttyACM0

In my case, i wasn't sure about this phone modem facilities, and i start
playing with init secuences to discover the modem with 'minicom' tool,
without success. Finally i decided to use 'wvdialconf' utility to check
out my lack of kwlg. :

[root at spoolbox crash]# wvdialconf newconffile
Scanning your serial ports for a modem.

Port Scan*1>: S0   S1   S2   S3   S4   S5   S6   S7
ttyACM0*1>: ATQ0 V1 E1 -- OK
ttyACM0*1>: ATQ0 V1 E1 Z -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 &D2 -- OK
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyACM0*1>: Modem Identifier: ATI -- 144
ttyACM0*1>: Speed 4800: AT -- OK
ttyACM0*1>: Speed 9600: AT -- OK
ttyACM0*1>: Speed 19200: AT -- OK
ttyACM0*1>: Speed 38400: AT -- OK
ttyACM0*1>: Speed 57600: AT -- OK
ttyACM0*1>: Speed 115200: AT -- OK
ttyACM0*1>: Speed 230400: AT -- OK
ttyACM0*1>: Speed 460800: AT -- OK
ttyACM0*1>: Max speed is 460800; that should be safe.
ttyACM0*1>: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 -- OK
ttyUSB0*1>: ATQ0 V1 E1 -- failed with 2400 baud, next try: 9600 baud
ttyUSB0*1>: ATQ0 V1 E1 -- failed with 9600 baud, next try: 115200 baud
ttyUSB0*1>: ATQ0 V1 E1 -- and failed too at 115200, giving up.

Found an USB modem on /dev/ttyACM0.
Modem configuration written to newconffile.
ttyACM0Info>: Speed 460800; init "ATQ0 V1 E1 S0=0 &C1 &D2
+FCLASS=0"

[root at spoolbox crash]# l newconffile
-rw-r-----  1 root root 232 jul 30 18:11 newconffile

[root at spoolbox crash]# cat newconffile

[Dialer Defaults]
Modem = /dev/ttyACM0
Baud = 460800
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = USB Modem
; Phone = Target Phone Number>
; Username = Your Login Name>
; Password = Your Password>

With this information, i updated the init sequence in 'minicom'
parameters:

[root at spoolbox crash]# LANG=C; minicom
	 Welcome to minicom 2.00.0

OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Feb 21 2005, 19:32:30.

Press CTRL-A Z for help on special keys

ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
OK


???????[Modem and dialing parameter setup]?????????????????
?
?
? A - Init string .. ~^M~ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0^M ?
? B - Reset string . ^M~ATZ^M~                               ?
<...>

I did an AT command and i get the correspoding OK, cool :)

AT 
OK
ATZ
OK
ATD <phone-number>

And my other mobile phone was ringing with an incomming data call.

Up to here fine since the old motorola phone was able to perform calls,
that's not the point unless you want a dial-out line (56k).

What i needed was a dial-in facilities, go on with 'mgetty-sendfax':

First change the /etc/inittab to start using the line:

[root at spoolbox crash]# cat /etc/inittab
<...>
# Modem back line listen
# Data only and two tones b4 connect
T1:2345:respawn:/sbin/mgetty ttyACM0 -D /dev/ttyACM0
<...>

To enable dial-in uncomment the corresponding line at '/etc/mgetty
+sendfax/login.config' file with the previously created profile:

[root at spoolbox crash]# cat /etc/mgetty+sendfax/login.config

<...>
/AutoPPP/ -     -       /usr/sbin/pppd file /etc/ppp/options.server
<...>

You can even trim more for incomming calls using the corresponding
features at '/etc/mgetty+sendfax/dialin.config', in my case i left it
untouched without restrictions.

And config the line in '/etc/mgetty+sendfax/mgetty.config':

<...>
# Motorola V150/Usb connected to ttyACM0/1: don't do fax, less logging
#
port ttyACM0
  debug 9
  data-only y
  speed 460800
<...>

Up to here, you have the line preset correctly, now you have to use it
to dial-in.

Create a ppp profile file to use in dial-in whatever the line will be:

[root at spoolbox crash]# cat /etc/ppp/options.server

# Do not fork to become a background process
-detach
# To allow pppd to work over a rlogin/telnet connection
asyncmap 0
# Use the modem control lines
modem
# Use hardware flow control
crtscts
# Specifies that pppd use the UUCP-style lock on the serial device
lock
# Adds an entry into the ARP table with the IP address of the client and
the IP address of the NIC
proxyarp
#
# Auth:
# PAP (Password Authentication Protocol) is one of the two protocols
that PPP uses to authenticate
# peers.
# The other is CHAP (Challenge Handshake Authentication Protocol).
# CHAP is a more secure protocol, but is not as widely supported as PAP
require-pap
refuse-chap
#require-chap
#refuse-pap
# if 'login' option (follows) is used, the file /etc/ppp/pap-secrets
need not exist. In fact, it
# might interfere with the proper functioning of PAP. You can remove the
file, or it can contain
# the following line:
# * * ""
# The advantage of maintaining /etc/ppp/pap-secrets with this line is
that it leaves you the option
# of denying PPP access to individual accounts that have entries
in /etc/passwd. To do so, below
# the above line, enter the following line:
# username * -
# where "username" is the username of the account you wish to deny PPP
access. Example:
#  #user      server       secret        addrs
#  *            *              ""               *
#  jdoe          *              -                *
#
#login
# The first DNS server IP address for this network.
ms-dns 192.168.0.1
# The second DNS server IP address for this network.
ms-dns 62.42.230.24


Third, create the specific profile for /dev/ttyACM0 line, where our
phone is:

[root at spoolbox crash]# cat /etc/ppp/options.ttyACM0
# The first IP address is the servers IP address, the second IP address
is
# the free static IP address that can be assigned to the computer
dialing
# in on the modem. This number cannot be in use.
192.168.0.3:192.168.0.69
# The net mask of the LAN the server is connected to.
netmask 255.255.255.0

And since we are using PAP to auth, create the password
at /etc/ppp/pap.secrets:

[root at spoolbox crash]# cat /etc/ppp/pap-secrets
# Secrets for authentication using PAP
# client        server  secret                  IP addresses
sm0ketst        *       password                *


Now, let's see what's happeninig with all of this stuff:

# telinit q

And check out the syslog:

<...>
Aug  8 21:25:49 spoolbox init: Re-reading inittab
<...>

And check also '/var/log/mgetty.log.ttyACM0':

[root at spoolbox ~]# tail -F /var/log/mgetty.log.ttyACM0
<...>
--
08/08 20:58:28 CM0  mgetty: experimental test release 1.1.31-Jul24
08/08 20:58:28 CM0  check for lockfiles
08/08 20:58:28 CM0   checklock: no active process has lock, will remove
08/08 20:58:28 CM0  locking the line
08/08 20:58:28 CM0   makelock(ttyACM0) called
08/08 20:58:28 CM0   do_makelock: lock='/var/lock/LCK..ttyACM0'
08/08 20:58:28 CM0   lock made
08/08 20:58:29 CM0   tio_get_rs232_lines: status: RTS CTS DTR
08/08 20:58:29 CM0  WARNING: DSR is off - modem turned off or bad cable?
08/08 20:58:29 CM0  lowering DTR to reset Modem
08/08 20:58:29 CM0   tss: set speed to 460800 (10004)
08/08 20:58:29 CM0   tio_set_flow_control( HARD )
08/08 20:58:29 CM0   waiting for line to clear (VTIME=1), read:
08/08 20:58:30 CM0  send: \dATQ0V1H0[0d]
08/08 20:58:30 CM0  waiting for ``OK''
08/08 20:58:30 CM0   got: ATQ0V1H0[0d]
08/08 20:58:30 CM0    CND: ATQ0V1H0[0d][0a]OK ** found **
08/08 20:58:30 CM0  send: ATS0=0Q0&D3&C1[0d]
08/08 20:58:30 CM0  waiting for ``OK''
08/08 20:58:30 CM0   got: [0d]
08/08 20:58:30 CM0    CND: OK[0a]ATS0=0Q0&D3&C1[0d]
08/08 20:58:30 CM0    CND: ATS0=0Q0&D3&C1[0d][0a]OK ** found **
08/08 20:58:30 CM0   waiting for line to clear (VTIME=3), read: [0d][0a]
08/08 20:58:30 CM0   removing lock file
08/08 20:58:30 CM0  waiting...

Up to here, the hard part is done except the netfilter part i'll show
later, but from now we can ring our motorola to get access from 'pssh'
in our palm device (in my case i use a bluetooth conn with a Nokia
6600).

If we also want to get access the network from palm device, you have to
tweak the /etc/sysconfig/iptables file in the host where the phone is
connected in the following way:

a) At the top of the file, add the following lines:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]

# Rule for sharing eth0 with ppp0/ttyACM0 <------- ADD
-A FORWARD -i ppp0 -j ACCEPT              <------- ADD

-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
<...>

b) At the end of the file, add the following lines:

<...>
# Rest
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

# Rule for dial-in network sharing
# Remark: Remember to update the /etc/sysctl.conf
#          Controls IP packet forwarding
#          net.ipv4.ip_forward = 1
# or # echo 1 > /proc/sys/net/ipv4/ip_forward
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT


And as you can see, enable packet forwarding by hand or in
'/etc/sysctl.conf'

After that restart iptables

[root at spoolbox ~]# service iptables restart

And check out the 'whole thing':

1st- enable bluetooth on phone,
2nd- enable bluetooth on palm, and connect


[root at spoolbox ~]# tail -F /var/log/mgetty.log.ttyACM0
<...>
--
08/08 21:38:50 CM0    select returned 1
08/08 21:38:50 CM0   checking lockfiles, locking the line
08/08 21:38:50 CM0   makelock(ttyACM0) called
08/08 21:38:50 CM0   do_makelock: lock='/var/lock/LCK..ttyACM0'
08/08 21:38:50 CM0   lock made
08/08 21:38:50 CM0  wfr: waiting for ``RING''
08/08 21:38:50 CM0   got: [0d][0a]RING[0d]
08/08 21:38:50 CM0    CND: RING
08/08 21:38:50 CM0   wfr: rc=0, drn=0
08/08 21:38:50 CM0    CND: check no: 'none'
08/08 21:38:50 CM0  send: ATA[0d]
08/08 21:38:50 CM0  waiting for ``CONNECT''
08/08 21:38:50 CM0   got: ATA[0d]
08/08 21:38:50 CM0    CND: OKATA[0d][0a]CONNECT ** found **
08/08 21:39:03 CM0  send:
08/08 21:39:03 CM0  waiting for ``_''
08/08 21:39:03 CM0   got: [0d]
08/08 21:39:03 CM0    CND: CONNECT[0a] ** found **
08/08 21:39:03 CM0   waiting for line to clear (VTIME=3), read:
08/08 21:39:03 CM0    looking for utmp entry... (my PID: 14150)
08/08 21:39:03 CM0   utmp + wtmp entry made
08/08 21:39:04 CM0   tio_set_flow_control( HARD )
08/08 21:39:04 CM0   print welcome banner (/etc/issue)
08/08 21:39:04 CM0   getlogname (AUTO_PPP), read:~[ff]}#[c0]!
08/08 21:39:05 CM0   input finished with '\r', setting ICRNL ONLCR
08/08 21:39:05 CM0   tio_get_rs232_lines: status: RTS CTS DSR DTR DCD RI
08/08 21:39:05 CM0    login: use login config file /etc/mgetty
+sendfax/login.config
08/08 21:39:05 CM0   match: user='/AutoPPP/', key=''
08/08 21:39:05 CM0   match: user='/AutoPPP/', key=''
08/08 21:39:05 CM0   match: user='/AutoPPP/', key='/AutoPPP/'***
hit!
08/08 21:39:05 CM0   calling login: cmd='/usr/sbin/pppd',
argv[]='pppd
file /etc/ppp/options.server'
08/08 21:39:05 CM0   setenv: 'CALLER_ID=none'
08/08 21:39:05 CM0   setenv: 'CONNECT='
08/08 21:39:05 CM0   setenv: 'DEVICE=ttyACM0'
08/08 21:39:05 ##### data dev=ttyACM0, pid=14150, caller='none',
conn='', name='', cmd='/usr/sbin/pppd',
user='/AutoPPP/'

And in syslog:

<...>
Aug  8 21:39:05 spoolbox mgetty[14150]: data dev=ttyACM0, pid=14150,
caller='none', conn='', name='',
cmd='/usr/sbin/pppd', user='/AutoPPP/'
Aug  8 21:39:05 spoolbox pppd[14150]: pppd 2.4.2 started by LOGIN, uid 0
Aug  8 21:39:05 spoolbox pppd[14150]: Using interface ppp0
Aug  8 21:39:05 spoolbox pppd[14150]: Connect: ppp0 <--> /dev/ttyACM0
Aug  8 21:39:10 spoolbox pppd[14150]: PAP peer authentication succeeded
for sm0ketst
Aug  8 21:39:13 spoolbox pppd[14150]: found interface eth0 for proxy arp
Aug  8 21:39:13 spoolbox pppd[14150]: local  IP address 192.168.0.3
Aug  8 21:39:13 spoolbox pppd[14150]: remote IP address 192.168.0.69

When disconnected syslog will show:
<...>
Aug  8 21:40:38 spoolbox pppd[14150]: IPCP terminated by peer
Aug  8 21:40:39 spoolbox pppd[14150]: LCP terminated by peer
Aug  8 21:40:42 spoolbox pppd[14150]: Connection terminated.
Aug  8 21:40:42 spoolbox pppd[14150]: Connect time 1.6 minutes.
Aug  8 21:40:42 spoolbox pppd[14150]: Sent 98 bytes, received 86 bytes.
Aug  8 21:40:42 spoolbox pppd[14150]: Connect time 1.6 minutes.
Aug  8 21:40:42 spoolbox pppd[14150]: Sent 98 bytes, received 86 bytes.
Aug  8 21:40:42 spoolbox pppd[14150]: Exit.

And the mgetty log (/var/log/mgetty.log.ttyACM0)
<...>
--
08/08 21:40:42 CM0  mgetty: experimental test release 1.1.31-Jul24
08/08 21:40:42 CM0  check for lockfiles
08/08 21:40:42 CM0   checklock: no active process has lock, will remove
08/08 21:40:42 CM0  locking the line
08/08 21:40:42 CM0   makelock(ttyACM0) called
08/08 21:40:42 CM0   do_makelock: lock='/var/lock/LCK..ttyACM0'
08/08 21:40:42 CM0   lock made
08/08 21:40:43 CM0   tio_get_rs232_lines: status: RTS CTS DSR DTR DCD RI
08/08 21:40:43 CM0  WARNING: DCD line still active, check modem settings
(AT&Dx)
08/08 21:40:43 CM0  lowering DTR to reset Modem
08/08 21:40:43 CM0   tss: set speed to 460800 (10004)
08/08 21:40:43 CM0   tio_set_flow_control( HARD )
08/08 21:40:43 CM0   waiting for line to clear (VTIME=1), read:
[0a][0a]NO CARRIER[0a][0a]
08/08 21:40:43 CM0  send: \dATQ0V1H0[0d]
08/08 21:40:44 CM0  waiting for ``OK''
08/08 21:40:44 CM0   got: ATQ0V1H0[0d]
08/08 21:40:44 CM0    CND: ATQ0V1H0[0d][0a]OK ** found **
08/08 21:40:44 CM0  send: ATS0=0Q0&D3&C1[0d]
08/08 21:40:44 CM0  waiting for ``OK''
08/08 21:40:44 CM0   got: [0d]
08/08 21:40:44 CM0    CND: OK[0a]ATS0=0Q0&D3&C1[0d]
08/08 21:40:44 CM0    CND: ATS0=0Q0&D3&C1[0d][0a]OK ** found **
08/08 21:40:44 CM0   waiting for line to clear (VTIME=3), read: [0d][0a]
08/08 21:40:44 CM0   removing lock file
08/08 21:40:44 CM0  waiting...


Now you can get shell access from your palm, use your favourite www palm
browser and send-receive emails, etc... with some tweaks from your palm,
all of this using your host as your gateway.

I think that's all and i didn't forget anything, feel free to knock the
door on me if something fails... but since phone companies are providing
no-cost for certain calls, i found it usefull to get a shell on my palm
to launch certain commands on the host at 0-cost, yes, at 56K, but it's
free :)


Jose.











-- 
-----------------------------------------------------------------
sparkbox.stigmatedbrain.net 2.6.9-34.0.2.ELsmp i686 GNU/Linux
21:40:01 up 7 days, 1:52, 44 users, load average: 3.18, 1.91, 1.62
-----------------------------------------------------------------
    The Moral Law causes the people to be in complete
    accord with their ruler, so that they will follow him
    regardless of their lives, undismayed by any danger.
                                --The Art of War by Sun Tzu
                                  Chapter I: Laying Plans

On Tue, 8 Aug 2006, J.J. Garcia wrote:
> First, this motorolla has an usb interface to the host, it's quite
> simple to attach the phone to the host running CentOs, i dont like very
> much usb 'things' but things are like this... anyway, if you do so
> Then, in /dev you will have:
>
> [root at spoolbox crash]# l /dev/ttyACM0
> crw-------  1 root root 166, 0 ago  8 20:54 /dev/ttyACM0
yes - USB devices are nasty, and the PPPD has to manage serial 
devices as root.

Pretty definitionally, one has to have physical access to a 
host to plug a USB device into it -- the site admin (at least 
in the BIOS' I have deployed commercially) can, but may not 
have chosen to, disable USB devices, non-hard drive boot 
devices, etc., and so a local (mis)configuration may result in 
escalated privs.

Of course the admin may not have put a cable lock through the 
Kensington lock port, or an end user could bash in a plastic 
dress plate to pull out a HD and mount it on a nearby box with 
a live CD, even if the admin did.

Remote roots are interesting; local accounts escalation less 
so; physically available hosts not so much.

It was a fun report to see, and I would encourage upstreaming 
it to Red Hat.

- Russ Herrold