30th Mar, 2007

BeBox – Got Root?

I’ve recently switched to Be There from the cowboys at Pipex, and I have to say I’ve been impressed. Speed-wise, it’s terrific, especially for the price.

This post recounts my first exploration into the mysteries of the descriptively named “BeBox” through which the ADSL service is provided.

Since it arrived on the doorstep for free, I had expected it to be yet another of these mediocre but functional things with some lights and a basic web interface. Despite being adorned with a large pink star and sharing the SpeedTouch brand name with the (notoriously incompatible) “Frog”, it turns out the 780WL is made by Alcatel, and as such is a very different beast. The 4-port wireless router comes equipped with VoIP, QoS, an SPI firewall and routing tables complete with VLANing – it runs a BSD variant with a full CLI as if it were an enterprise-class networking device.

Be naturally hide all this interesting functionality from the end user, and the web based interface looks very run-of-the-mill and irritatingly hand-holding. I only realised there was more lurking under the surface when I found port 21 was open whilst idly Nmap-ing myself from a machine externally. Anticipation overriding any concern about the discovered security holes, I logged in with the provided (default) user account. The resulting access yielded very little functionality over that provided by the web-based interface, most “advanced” commands resulting in policy restriction error messages; nevertheless a remote attacker could certainly wreak some havoc. I needed root access, if only to switch telnet off!

The Speedtouch’s web-based GUI provides the option to backup and restore its configuration to an INI file. Sure enough, poking around in this I found what I was looking for (password hashes removed for obvious reasons):

[ mlpuser.ini ]
add name=Administrator password=_CYP_{removed} role=Administrator hash2={removed} defuser=enabled
add name=tech password=_CYP_{removed} role=TechnicalSupport hash2={removed} defremadmin=enabled
add name=BeTech password=_CYP_{removed} role=TechnicalSupport hash2={removed}
add name=bebox password=_CYP_{removed} role=root hash2={removed}

Well Administrator was me, but I wasn’t liking the look of the other three. Be use the same passwords for every customer, and this was leaving me wide open to attack. Commenting out those lines (in case Be do ever need to remotely login), and adding a user called root with role=root got me the access I required.

This configuration file also had a lot to reveal about services the box was exposing WAN-side:

[ servmgr.ini ]
...
ifadd name=HTTPs group=wan
ifadd name=FTP group=wan
ifadd name=TELNET group=wan
ifadd name=PING_RESPONDER group=wan
...

Certainly telnet and ftp were going right off. Https is for the web-based interface, and despite the “s” would still be exposing a login box a cracker could be run on. Finally I’m not a believer in letting all and sundry ping me (I hope to re-enable it specifically for Be’s server IPs when I get more acquainted with the CLI).

Another annoyance was that the box helpfully redirects all outgoing HTTP requests to an error page whenever the connection is down. Useful for a novice user. Annoying in a similar vein to Verisign’s Sitefinder as it’s not based on transparent proxying (as it should) but spoofing DNS! And even the former can cause problems for things that depend on a TCP timeout rather than a successful connection. (It even gives a HTTP 200 instead of 503 as proxy standards dictate).

This and and the web filtering that powers the “Parental Control” feature that appears locked in the On position is run using “Differentiated Service Delivery (DSD)”. I am not a fan:

[ dnss.ini ]
config domain=local timeout=15 suppress=0 state=enabled trace=disabled syslog=disabled WANDownSpoofing=disabled WDSpoofedIP=10.0.0.201
...
[ dsd.ini ]
...
config state=disabled
...
[ webfilter.ini ]
...
config state=disabled

Once that was all done, using the CLI and my newly-obtained root account, I managed to tweak out my DHCP and QoS settings (removing the bandwidth-throttling rules!). This is just a case of having the right reference material to hand. Unfortunately, despite the humorous “nerdy stuff inside” warning, the CD provided by Be only contains the “End-User” editions of the SpeedTouch manuals – the unabridged version and the CLI reference I’ve included below:

“BeBox” User Manual
“BeBox” CLI Reference

Immediately behind the BeBox I have my own firewall server running iptables, Squid and the usual on Gentoo, so I turned off the unsophisticated SpeedTouch IDS that was hampering my remote portscanning anyway, and put said machine in a DMZ. Next task is to put the built-in wireless interface into a WAN-detached VLAN with the server, but that’s another post…

Posted by: Rory

Categories:

Responses

Hey,
I am currently running a Be ST780, with 6.4.1.3 fw, can u tell me more about the Q0S and bandwidth throttling rules u have found. =p

I am really hacked off that my torrents have gone to a crawl, and i would like to try and correct this, , i used to get around 1-1.6Mb/s all day long, , now i m dont to 1-300kB

I have also gone BE-Pro, and i need to get this router stable/perfoming before i scream at BE for a refund!

By: MK-ULTRA MK-ULTRA on April 23rd, 2007
at 1:12 pm

Hey MK-ULTRA, only came across this comment by accident, maybe I’ll turn notifications on… ;)

The bandwidth throttling rules I was referring to appear under the [ labelrule.ini ] section in your user.ini, and appear to tag video with a lower QoS rating; replacing all the

[ labelrule.ini ]
chain add chain=rt_user_labels
chain add chain=rt_default_labels
chain add chain=qos_user_labels
chain add chain=qos_default_labels
rule add ...

lines with

[ labelrule.ini ]
chain add chain=rt_user_labels
chain add chain=rt_default_labels
chain add chain=qos_user_labels
chain add chain=qos_default_labels
rule add chain=qos_default_labels index=23 name=default log=disabled state=enabled label=Interactive

should effectively disable QoS altogether (by tagging all traffic with the same QoS class), though some of these may actually be advantageous (e.g. DiffServ is used by Windows and ISA Server) – obviously search for any explicit references to BitTorrent etc, though all you’re likely to find are protocol definitions.

Also have a read through the CLI manual to figure out how to modify the qosbook interactively – for example tagging traffic you want to with a higher QoS class may give higher throughput by prioritising yours over other users’ – I know not whether this works (I don’t have access to a BeBox at the moment) nor whether it’s morally right.

If you believe BitTorrent is being throttled it’s likely to be happening upstream at Be, though they maintain they do not shape traffic.

In which case have a look at this guide.

By: Rory Rory on May 1st, 2007
at 9:42 pm

Interesting post, thanks for writing it all (I’ve been a Be* member since August 2006, and I do similar things to you whenever I reflash / reset my box, but it’s nice to get all the steps laid out in a coherent way because I just keep them all jumbled up in my head!)

Cheers :)

By: Christopher Woods Christopher Woods on May 9th, 2007
at 12:17 am

Hi,

How did you get DMZ working on your BeBox?

Cheers

By: Will Boyce Will Boyce on August 18th, 2007
at 6:46 pm

Hey Rory, can you tell me if it’s possible to run simple bash scripts on the 780WL? I’d like to create a script with an if statement, grep, time, echo and some variables via cron but I’m not sure if it’s possible. Also, is there a way to get the number of calls out via pstn (fxo)? The manual suggests this can be done for fxs1 and fxs2 with “voip stats list” but i don’t know if it’s the same for fx0. Thanks.

By: Christopher Christopher on October 19th, 2007
at 1:53 pm

Christopher,

Unfortunately GNU Utils are not included in the BeBox’s firmware (would be entirely unnecessary), so you would be looking at an iPod style reverse engineer – perhaps you’d have some luck posting on the Unofficial Be Users Forum – whether it has the resources to run a full terminal is another matter.

I assume also that the PSTN call-through facility is implemented in hardware and simply connects the VoIP port at a circuit level. Call accounting facilities would require the BeBox to have PBX capabilities or at least have more awareness of the call state than is necessary for its current featureset.

By: Rory Rory on October 20th, 2007
at 11:13 pm

Can somone please tell me how to unlock port 4 so i can use it instead of buying a switch to add a 4th user?

By: The Gator The Gator on April 11th, 2008
at 4:44 pm

It seems that our hostname gives away we have an BeBox. How can we change this?

Thanks for your article btw!!!!

By: Nick Nick on May 23rd, 2008
at 7:23 am

Nice write up Rory, thanks!

By: Mark Mark on September 19th, 2009
at 7:05 am

Will, try :ip config natloopback=enabled

I had to do that before packets would be passed back and forth correctly to my web server even though I had assigned the device as HTTP in the web gui

By: Mark Mark on September 19th, 2009
at 7:07 am

RSS feed for comments on this post.
TrackBack URI

Leave a response






Got a Gravatar?

Your response:

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Categories