Sean DuBois

GitHub

Discogs

Last.fm

Email

Exploring the SPA112

Inspecting firmware to find the ping utility - Published 2015-02-16

The Problem

I have been using the Cisco SPA112 for a while now, and it works great for my uses. I just want to connect existing phone systems to an Asterisk install as peers and be done with it. This has worked great, up until recently when I was having connectivity issues from the Cisco SPA. Well I went digging for the usual tools ping and traceroute, but they couldn't be found! The manual claimed they were in the web interface, but as you can see below nothing existed for me.

I tried exploring the DOM a little bit to see if the links had just been hidden, but couldn't find anything in the HTML/CSS/JS. There was a lot of raw DOM manip, so I wouldn not be suprised if it just get lost in an off-by-one error or something of the sort. The following was the Admin tab as I saw it.

Finding all the ASP scripts

I noticed that every page was a dedicated .ASP script in the form of http://HOST/FILE.asp;session_id=X

So I decided to try my hand at a little exploring, and got really lucky! I usually run things through strings then binwalk and then give up :), so for my first step I download the latest firmware, ran it through strings and grepped for '.asp' with the command being strings Payton_1.3.5_004p_102814_1321_pfmwr_bootldr.bin | grep .asp and got the following output

     Alg.asp>^     
BT.asp^^
Backup.asp~^
Bonjour_set.asp
Bridge_Enable.asp
Check_ID.asp
Cysaja.asp
DHCPTableSelect.asp>_
DMZ.asp^_
DMZSummary.asp~_
DMZ_setting.asp
DMZconfig.asp
DNS_tab1.asp
DNS_tab2.asp
Detecthost.asp
Detecthost_wait.asp>@
Diagnostics2.asp^@
Diagnostics_tab1.asp~@
Diagnostics_tab2.asp
Factory_Defaults.asp
FactoryDefaultsrun.asp
Fail.asp
Fail_Busy.asp
Fail_general.asp>A
Failrs.asp^A
Failus.asp~A ~
Fail_vlan.asp
Failmsg_head.asp
Firewall_qs.asp
Forward_tab1.asp
Forward_tab2.asp
Guestnet_setting.asp>B
Guestnet_summary.asp^B
IGMP.asp~B
Internet_Status.asp
Log.asp
Log_Module.asp
Log_Setting.asp
Log_View.asp
Management.asp>C
Management2.asp^C
Management_u.asp~C
Memory_Information.asp
Network_Service.asp
Ping.asp
Ping1.asp
PolicyRoutingtab1.asp
PolicyRoutingtab2.asp>D
QoS_Diff.asp^D
QoS_Tos.asp~D
QoS_WL.asp
QoS_ata.asp
QoS_tab1.asp
QoS_tab2.asp
RIP.asp
RIP_Setting.asp>E
RIP_Summary.asp^E
RTSP.asp~E
Radius.asp
Reboot.asp
Remote_access.asp
Remoteaccessedit.asp
Reset_button.asp
Restore.asp>F
Routing_tab1.asp^F
Routing_tab2.asp~F
Routingtab2qs.asp
Routing_tab3.asp
Routing_tab4.asp
SES_Status.asp
SNMP.asp
SingleForward_tab1.asp>G
SingleForward_tab2.asp^G
Status_Firewall.asp
Status_Iface.asp
Status_Lan.asp
Status_QoS.asp
Status_Router.asp>H
StatusWANINFO.asp^H
Status_arp.asp~H
Status_dhcppool.asp
Status_igmp.asp
Status_mibs.asp
Status_rip.asp
Status_route.asp
Success.asp>I
Success_lic.asp^I
Successrs.asp~I
Success_s.asp
Success_u.asp
Successus.asp
TAIL.asp
TAIL_voice.asp>J
TR.asp^J
TR_qs.asp~J
Traceroute.asp
Triggering.asp
Triggering_tab1.asp
Triggering_tab2.asp
Upgrade.asp
Upgrade_run.asp>K
User.asp^K
User_Level.asp~K
User_summary.asp
VPN.asp
WanMAC.asp
about.asp
access_deny.asp
cdp_lldp.asp^L
config_mng.asp
dhcp_pool.asp^M
dhcppooledit.asp~M
dhcppooledit_qs.asp
dhcppooledit_u.asp
dmzsoftsetting.asp
dmzsoftsummary.asp
donothing_vlan.asp^1
filelink.asp
filelink_iframe.asp
fortest.asp
getactwan.asp
getarpinfo.asp:R
getcpumemory_info.aspZR
getdhcppoolinfo.aspzR
getfirewallinfo.asp
getifaceinfo.asp
getlogrecord.asp
getlogrecord_ajax.asp
getqosinfo.asp
gettftpstatus.asp:S
getconnect.aspZS
getconnst.aspzS
header_TOP.asp
headerTOPvoice.asp
index.asp
index_dhcp.asp
index_pppoe.asp
index_pptp.asp
index_static.asp6\
index_tab3.aspV\
lanphysetting.asp
license.asp
license_credential.asp
license_install.asp
license_resend.asp6]
license_user.aspV]
login.aspv]
logout.asp
macaddressclone.asp
mac_clone.asp
menu_linksys.asp
menu_unlink.asp6^
mibs_obj.asp#
phy_setting.asp
ping_continue.asp
ping_log.asp
port_setting.asp
position_url.aspRA
privilegectl.asprA
quick_setup.asp
quicksetup.asp
quicksetupst.asp
setupwizard.asp
status_Guestnet.asp
status_wireless.asp
tftp.aspv]
traceroute_continue.asp
traceroute_log.asp
tree.asp
tree_tab.asp
voice.asp6^
voice_qs.aspV^
voicest.aspv^
wan_option.asp
wan_sub.asp
wansubqs.asp
wansubu.asp
wan_vlan.asp

I noticed Diagnostics_tab1.asp and Diagnostics_tab2.asp right away! And luckily enought that is our ticket. They give us a working traceroute+ping. You just access them like http://HOST/Diagnostics_tab1.asp;session_id=X

Diagnostics_tab1.asp

Diagnostics_tab2.asp

Digging Even Further

So I have solved the problem at hand, but let us see if we can dig even further. I would really like to get a shell! binwalk says there are some squashfs images in the bin, I am going to see if I can build my own firmware with shell access.

So using binwalk, I was able to extract the firmware running

binwalk -eM Payton_1.3.5_004p_102814_1321_pfmwr_bootldr.bin

and I found a squashfs image that is 8410145 bytes, this looks promising! However I ran into some trouble extracting it. I noticed that the 'magic number' for the file was shsq and after some googling I found this patch

I am currently using an OSX desktop and pulled it in via Homebrew, with the following recipe that includes the linked patch. I am looking through the dump right now to see if I can find something that already evals input etc..

Comments

Post your own comment

Comments are not posted immediately, for the time being they will be emailed to me along with your nick for review. In the future I may implement a text captcha, but I am not keen on using a foreign service.
Nick:
Comment: