I stumbled accross a Sagem F@ST 2404 ADSL modem recently. While I was experimenting with some of its features, I found an interesting feature (or a bug :P) in version 3.21a4
Usually, many home ADSL modems provide command line access (usually via telnet) along with their fancy Web interface.
If you try to connect via telnet to ths ADSL modem, you will be provided with the follwing screen of options:
So you just type an appropriate number and navigate to the respective subcategory.
But what if you try to type a command instead of a number? Let's try with ls /bin first.
Nope. Let's try with a simple echo "This is a test" or something similar.
Bingo! That means that command line interface does not sanitize input properly and allows the user to execute arbitrary commands!
Let's incorporate our command a bit. Let's try to invoke busybox sh
Nope! Let's try to combine the last two commands to a single one and see the result. So our new command would beecho "This is a test"; busybox sh
The busybox shell is spawned! Great!
You can explore you router internals via typical ls and cat commands. You can also view running processes using ps command.
Be careful not to run the cfm executable! I speculate that this is the router's bootstrap script and if you try to re-execute, you will probably lose connectivity. In that case just try a hardware reboot of the router.