This is my first thread on the questions board.
In researching the localhost connecting back to port 7771 spamming logcat issue with 4G all EVO users who turn 4G on/off experience, I came across this file.
/data/wimax/wimax_properties
inside it stores sprintpcs username and password:
ls -l /data/wimax/wimax_properties
-r--r----- root root 262144 2010-09-24 09:52 wimax_properties
this will return your sprintpcs login name:
cat /data/wimax/wimax_properties | busybox grep @sprintpcs
the next line after that contains a clear text password. it starts with persist.wimax.0.PASSWORD.
I understand this file is not accessible w/o root. In theory, root exploits are always appearing and for the time being, ragc hasn't been patched so any program could use that to gain root (bypass superuser.apk) and read this file.
I also understand there is an RSA encryption key stored on the wimax partition itself, which I'm pretty sure is required to establish a connection.
Does the RSA encryption tie into this clear text password?
Anybody else notice this? Is there any reason to be concerned?
Related
Hello everyone. I'm not very experienced with Linux but have done some. I want to connect to my Tomato router using GScript and RSA keys. I generated keys with ConnectBot and I can connect to it from there fine, however when I try to connect from GScript using ssh -p port [email protected] 'command', I get an error about the host not being in the trusted hosts file. Is this because the RSA keys are not system-wide and GScript is not using what was created by ConnectBot, or is this a different unrelated problem? Any help would be great, thanks!
I really don't know where to start with this. I seriously recommend you read Wikipedia and experiment more with virtualized Linux computers (VMware Player or Oracle VirtualBox are good starts, running CentOS and Ubuntu).
RSA keys, as you're talking about at first, is the public key encryption scheme used to authenticate you to connect to your router, in this case. BUT. The keys you talk about in the second part? Those aren't keys. Your "trusted hosts file" is a list of unique fingerprints that an SSH server creates when it's first initialized, and are used to "sign" that it's the server you're connecting to.
For example, if every day you connect to the same server, and then suddenly one day, you get told that the fingerprints don't match, and you know that nothing has changed on the server end, it's a good chance that something got messed up, or that someone is attempting to perform some kind of a man-in-the-middle attack.
To get back to your question though, no, the Trusted Hosts file is not shared between ConnectBot and GScript. Odds are, ConnectBot isn't even sharing your SSH key (the RSA key) with GScript, and you haven't even gotten to that error yet. The SSH key can be system wide though (PROTIP: Just put it on the root of your SD card and load it into ConnectBot/GScript by manually adding the key file).
Thanks for your help. So basically I just want these two programs to share trusted hosts files and RSA keys. How does GScript initially come to trust a host, and how come ConnectBot didn't have this issue? I guess I could try to find the trusted hosts file ConnectBot is using, and can I move its key file to the root and then share it with GScript? Or do I need to make a new one (possibly in Cygwin on the desktop) and copy it over to the SD card.
I do plan to read more about this stuff, but that will happen in time. Right now I feel very close to accomplishing what I want (as you can probably tell by me posting this at 4:45 AM ).
Thanks again.
For the trusted hosts issue, you can't really share them, as there's no standardized format to the file (it's like trying to swap an MP3 and an AAC file; they both may be music, and they both may be of the same song, but they're quite different). There should be an option on the GScript error message to just add the host to the trusted list. If not, try running the same command from a terminal (ADB shell, or open ConnectBot and connect to local).
In regards to the key file, you'll just have to hunt down wherever ConnectBot placed it, and move it to the root of the SD card, then re-add it in ConnectBot (Press Menu and then Manage SSH keys to get to the key list. Menu again to select add/import).
Thanks. I'm having no luck finding ConnectBot's key file, so I just made a new one in Cygwin and will put it in my SD card. However I'm still not sure how to add/import that into GScript, or how to get GScript to trust that host (I don't see an option for it with the error message). These are questions I need to direct towards the GScript crowd, unfortunately its thread hasn't received much activity in awhile. Is there any other way you would go about saving a script to run from your home screen?
Hello,
I just tried to set up DroidSSHd with the aim to backup my phone using rsync.
There is an option to set a password which I did but when I connect via a Windows machine/CopSSH/Putty the password will be ignored; so everybody can just connect to my phone, which is kind of a security disaster.
Is there something I have to do to get this working?
My steps so far (without much knowledge of command lines):
- created a set of ssh-keys using Putty
Code:
ssh-keygen
- copied the public key to /sdcard/authorized_keys/
- opened DroidSSHd and created a profile with root-access (didn't connect w/o), entered a password, chose the public key, changed the port to 22
- now user name is "root" and the service is running
- open Putty, and enter
Code:
ssh [email protected][IPADRESS]
>>password: [ENTER]
Ready to rock. BUT anyone can access my phone!
How do I set a password for DroidSSHd?
thx
Seems its not possible or I'm the only one facing that problem.
-Y <passsword> in the dropbear cmdline
this password is hidden from /proc/xxx/cmdline and ps
else there is the public key method, which doesnt require password if your client is "authorized" by SSH
Code:
ssh [email protected] -p 2222
The authenticity of host '[192.168.10.245]:2222 ([192.168.10.245]:2222)' can't be established.
RSA key fingerprint is c8:8f:61:2b:14:67:a5:62:50:02:39:3d:ad:ec:15:0d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.10.245]:2222' (RSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
will try. thx a bunch. you are a really busy guy. i'm totally impressed.
Motorola Defy CM7RC1. 5, german Froyo base
Short Version:
Got an OpenVPN server on my NAS. GN connects & works fine; remote resources are reachable. I now want to know how I can route all traffic through the tunnel. (Is this possible?)
Long Version:
For those times when I'm traveling (domestically and internationally) and/or using a questionable Internet connection, I'd like to secure the connection.
I've got a [stock] rooted GN running Jelly Bean with BusyBox installed. My NAS has two built-in VPN solutions one of which being OpenVPN so I got that setup which created an .ovpn file containing the following configuration:
Code:
dev tun
tls-client
remote YOUR_SERVER_IP 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass
After installing OpenVPN Installer & OpenVPN Settings, I had to manually symlink busybox, ifconfig, and route from /system/bin to /system/xbin in order for OpenVPN to run properly.
Code:
#Note: In an attempt to be thorough, and for any Googlers or forum searchers (+1)...
#First I had to mount /system as read/write via:
mount -o -rw,remount /system
#Then create the symlinks via:
ln -s /system/bin/busybox /system/xbin/busybox
ln -s /system/bin/ifconfig /system/xbin/ifconfig
ln -s /system/bin/route /system/xbin/route
#Then remount /system as read-only via:
mount -o ro,remount /system
Once all of the above was setup, I initiated the connection, successfully authenticated, and was able to reach remote resources without issue.
What I would like to do at this point is get it setup so that I can have a second profile that routes all traffic through the VPN. I assume its a client-side configuration change but I really don't know at this juncture.
Many thanks!
Doesn't CyanogenMod ROM have native OpenVPN support? I think the OpenVPN client on CM has an option to route all traffic through the VPN. I think for what you want to do you should need a custom ROM or kernel that supports iptables.
iptables is a system file that allows the system to redirect network traffic usually for apps like tethering, firewalls, and proxies.
Sent from my Galaxy Nexus using Tapatalk 2
Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?
Phylum said:
Thanks for taking the time to reply KemikalElite.
I've got BusyBox 1.20.2 installed and I do have an iptables binary (v1.4.11.1). With solutions like Hotspot Shield VPN that don't require root yet supports encryption for all traffic, I figured root + OpenVPN + BusyBox + iptables would be sufficient.
My initial assumption was that I would need to make some changes to my OpenVPN configuration to encrypt & route all traffic through the tunnel. But maybe I've been thinking about this all wrong and its less about OpenVPN and more about running a custom script once connected to route everything through the tunnel; and vice versa when I disconnect to restore the original configuration.
Perhaps I should be scouring OpenVPN forums?
Click to expand...
Click to collapse
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2
You need to enter "redirect-gateway" into your ovpn config file.... Just remove the # in the your config
Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.
KemikalElite said:
You have the tun module as well right?
code.google.com/p/android-openvpn-settings/issues/list
Check through some of those issues. Something did say that the DNS servers may need to be manually set.
OpenVPN is so complex because of the config options. I find it easier to use native PPTP connections since there's no config only authentication and it routes all traffic automatically.
Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse
I somehow missed this when drafting my last reply. I think you're right about it being a DNS problem. I made a change to the config file (adding a few lines for 'dhcp-option DNS x.x.x.x') and within OpenVPN used the 'Fix DNS' button.
Thanks all for your time, thoughts, opinions and instructions!
Phylum said:
Thanks for the reply ZiCoN!
I should have mentioned this sooner - terribly sorry for omitting this.
Once I got the VPN connected, I did the old 'what is my ip' to verify the route. It was still using the provider's network, but I could reach my NAS and other remote devices in the 192.168.x.x range - so the VPN itself was working. After reading the mini explanation in the config file I enabled 'redirect-gateway' and after reconnecting I could no longer access the Internet. I checked the OpenVPN Manual I added 'def1' after the 'redirect-gateway' statement, reconnected but still no go: I can no longer access the Internet. Remote resources are still accessible in both scenarios.
Click to expand...
Click to collapse
You probably need to allow traffic to route back along the vpn film the internet. On your gateway, route vpn addresses to the VPN server and make sure forwarding is enabled on the vpn server.
Questions go in Q&A
Read forum rules and stickies before posting
Thread moved
FNM
Install openvpn and then place your edited client vpn config files and certificate files on the storage of FireTV similar to the raspberry pi method in the thread below:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Thanks for anyone that may know more than me that could maybe get this to work...
Hmm would be nice if that worked. Did u get a chance to try it?
Sent from my Nexus 5 using XDA Free mobile app
tdfsu said:
h**p xbmchub.com/forums/threads/24769-How-to-set-up-your-VPN-on-raspberry-pi-using-Brain-Hornsby-Openvpn-for-XBMC
Click to expand...
Click to collapse
I'm working on something like this just now. Here's the thing: in my logs for the simplest openvpn app to install (not straight openvpn, it turns out, as there's a windowing issue there that makes it difficult / impossible to navigate through setup, even with a keyboard and Droidmote) once I have a config, I get errors in logcat informing me
"Your image does not support the VPNService API, sorry "
There is a manually installable openvpn binary that I've looked at a bit but not yet configured. It is going to require adding a binary to /system/xbin directly, as the installer (at least on my phone) does not understand where /system/xbin really lives and issues a remount command to a nonexistent partition.
If you're running dd-wrt or similar configurable firewall, another option is to get an account with a provider who is set up to let you do a firewall to firewall connection, and then route either all of your traffic or the traffic from your firetv through that firewall-to-firewall connection.
I have a Private Internet Access vpn account.
Installed openvpn on FireTV--
http play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
Installed busybox on FireTV--
http play.google.com/store/apps/details?id=stericson.busybox&hl=en
I created a pass.txt file with my PIA username on the first line and password on the second line, nothing else, then saved the file as a text file (pass.txt).
Download the following to PC--
http privateinternetaccess.com/openvpn/openvpn.zip
Extracted the zip file.
Edited the location specific .ovpn file (see below), changing the 'remote', 'ca', 'crl' and 'auth' lines to the following--
client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /storage/sdcard0/openvpn/ca.crt
tls-client
remote-cert-tls server
auth-user-pass /storage/sdcard0/openvpn/pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /storage/sdcard0/openvpn/crl.pem
Then, save the USFlorida.ovpn file.
Upload ca.crt, crl.pem, pass.txt, and .ovpn file to FireTV to /storage/sdcard0/openvpn/
Open terminal on FireTV. I use jackpal's terminal app below, but you can also use adb.
http play.google.com/store/apps/details?id=jackpal.androidterm
In terminal, type the following--
su
openvpn cd /storage/sdcard0/openvpn/USFlorida.ovpn
But I get several errors. Anyway, that's where I'm at. Maybe someone else more knowledgeable than me can figure it out. Sorry about the links, my low post-count will not allow me to post url's.
Also, you can sideload the following app to verify your external ip address, and it works great with the FireTV remote--
http play.google.com/store/apps/details?id=igit.WhatIsMyIp
The approach you've taken is where I'd be headed next on the client side.
One thing you might want to try is to do the same setup a less locked-down device and confirm that the config files work as expected there.
There's also a good discussion of the hardware approach (setting up a tunnel from your edge to a VPN provider) in the other VPN thread, http://forum.xda-developers.com/showthread.php?t=2797005
also, private internet access will sell a preconfigured router for this purpose!
DO NOT POST IN HERE IF:
You are not experienced
You are not a dev
Making wild suggestions that make no sense
Asking for progress
Asking for ETAs
Posting useless posts
Exploit:
CVE-2015-4640 and CVE-2015-4641
Goal:
Escalate this to root (0) if possible and work around WP (write-protection) or be able to turn off certain WP with the help of this exploit.
Root Status:
Temp Root
Exploit Explanation Link:
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/
People working on this or helping:
heXacode
tekjester
Current Status of Progress:
Working on receiving the file and modify it afterwards.
To see if your keyboard has been patched or not, open up a terminal on your phone or phone connected to your PC with a terminal on the PC and type this:
ls -l /system/app/SamsungIME*
You should see this (not patched on KK 4.4.4):
-rw-r--r-- 1 0 0 8830744 Sep 16 2014 /system/app/SamsungIME.apk
-rw-r--r-- 1 0 0 4735632 Sep 16 2014 /system/app/SamsungIME.odex
Click to expand...
Click to collapse
***If you have knowledge in this please come forward and offer help so we can see if it's possible to get root (0) with this and finally get permanent root. I will update this periodically when time becomes available. It's slow work and a new ground to breach with a lot to understand to modify it and see what use we can make of it.
This exploit is only being done on KK (KitKat) 4.4.4. Do not ask if it will work on LP (Lollipop) 5.0.1. Do not ask why terminal doesn't match up with mine for 4.4.4 if you're on 5.0.1. I cannot confirm if it was patched for 5.0.1 or later. If this exploit does what we need to do for perm root and such then further testing will be done for 5.0.1 or later. Right now the main focus and all work is going to be done for 4.4.4 ONLY.
WARNING:
Any non-development post will be deleted and the poster infracted 5 points!
This is DEVELOPERS ONLY!!!!
No "Thanks", No "Looks Great!" No "I wanna test!" No "Are we there yet" posts!!!
PERIOD!
When developers need testers they will announce it and you can PM them
If you cannot read these simple instructions as well as the stickies, the developers probably don't want you to test!
Now if you are not contributing directly to the development discussion, then post in your device's General section
There will be no further warnings
Thank you for your cooperation
Friendly Neighborhood Senior-Mod
So I tried starting this from work (I work for the Gov't ), and my ability to share any connection was strictly declined - even with my domain admin access .
I'm going to hit this from the Windows side, so instead of Hostapd and mitmproxy, I'm going to use the built in Windows 8 WiFi hotspot and Fiddler. For any lurkers that want to check this out, here's a beginners guide to MITM with fiddler:
http://www.mehdi-khalili.com/fiddler-in-action/part-1/
Note: This talks about SSL stuff... the keyboard exploit doesn't use SSL, hence why it's a vulnerability! If you have some tech savviness, you can try piecing this together with the link hex posted and see how far you can get.
I have experience with injection, the quest for the team is going to see how much damage we can do running something from the "system user" context!
Also, I'm currently running 5.0.1 OF1 build. I'm going to start here, and progressively roll back to 4.4 to see if/when the exploit was patched
A few updates before I head to bed:
I get an output of:
Code:
-rw-r--r-- 1 root root
for ONLY system/app/SamsungIME.apk
I don't have anything for a .odex
However, great news out of fiddler! The keyboard exploit is STILL unpatched. Check out the attachment below!
I'm not sure if the ODEX file is critical or not to running in system context. Guess I'll find out tomorrow.
Here's what I did to get where I'm at on Windows 8.1. Figured I'd save everyone the headaches.
Download/Install Fiddler
Open an admin command prompt
"ncpa.cpl"
3a. Turn on Internet Connection Sharing for your normal internet connection
"netsh wlan set hostednetwork mode=allow ssid="test" key=testtesttest"
"netsh wlan start hostednetwork"
On your phone, turn on airplane mode, turn wifi back on (no mobile data)
Connect to your new WiFi Network - you'll need special settings because windows can't figure out DHCP without some pretty drastic steps - I assume your hostednetwork IP is 192.168.137.1, if not, adjust accordingly:
7a. Configure Proxy server as manual: Hostname "192.168.137.1" Port "8888"
7b. Switch DHCP to manual: IP Address 192.168.137.2 Gateway: 192.168.137.1 DNS: 8.8.8.8
Back over to Fiddler: This guy explains it better than me
I didn't see a keyboard grab when I rebooted. However, I can get the keyboard to search on the phone by going to Settings > Language and Inputs > Samsung Keyboard > Select Input Langage
Once there, the phone reaches out for a json file with the sha hash and the payload. This is where the whitepaper comes into play and where our experimentation begins!
Quick follow-up. While the packages are still sent unencrypted, running in System UID requires execution from the Dalvik Cache. No Dalvik Cache means no execution Looks like anything we run will be on 4.4
+1 confirmation that the updates are still sent unencrypted on Lollipop. Moving on to verify if directory traversal still works.
tekjester, just a suggestion - achieving code execution on Lollipop might require running dex2oat to get the code in a format that ART would execute.
I'll dig deeper into this soon - here's hoping it can be made to work on Lollipop, reverting to Kitkat and upgrading with Flashfire without tripping Knox would be a... fun weekend project.