Exploiting the PogoPlug Mobile

Didn't think this fit anywhere else, hopefully someone already saw this - VERY helpful :)

GTVhacker Pogoplug Mobile

The PogoPlug has an open bootloader and its kernel drops to a root shell making this a very open device. On top of that a user is also able to enable a SSHD server if they visit My.PogoPlug.com and enable it. Enabling SSHD not only sets dropbear to start on boot but also forces the user to change the root password. This however is only offered if a user opts to setup SSHD.

This leaves a lot of users with a default root password, but seemingly without any services running that could use it.
Lucky for us a diagnostic page runs on every pogoplug and can be accessed at:

https://IP-OF-POGOPLUG-MOBILE/sqdiag/



This diagnostic pages uses the root credentials as its login/password.


After accessing this diagnostic page you will need to access the hidden command execution portion. This can be access by visiting the following





https://root:ceadmin@IP-OF-POGOPLUG-MOBILE/sqdiag/HBPlug?action=command






After visiting the above URL you should now have an input field that you can enter in any command which will execute with root privileges.


Accessing from CURL The below command will test a PogoPlug for the default login and command execution script. For a quick test substitute COMMANDHERE with reboot.


POC:


curl -k "https://root:ceadmin@IP-OF-POGOPLUG-MOBILE/sqdiag/HBPlug?action=command&command=COMMANDHERE";






Below are the default root credentials for the PogoPlug, these are only changed if a user enables SSHD through the PogoPlug cloud interface.
Username: root
Password: ceadmin

I was reading this on hackaday. I can confirm that the PERL command works by rebooting a brand new out of box plug, I wonder if there is a way to use this to enable ssh so we don't have to register the device, trying to restart the service, with PERL it looks like it wont accept spaces in the command, and I can't seem to connect the commands https site in the bowser.

I guess I forgot to log on to post that, anyway I played around a little and you can now enable ssh without registering the device. I couldn't conect to the CloudEngines Diagnostic page with https with any of my computers for some reason (strangely this changed after I was able to log on with my phones browser and issue the command) Its as easy as accessing the page at

https://root:ceadmin@IP-OF-POGOPLUG-MOBILE/sqdiag/HBPlug?action=command

and issuing the command

dropbear start

Thats it, you can now SSH into your plug without registering it with pogoplug.

No one ever said this was secure :)

It's nice knowing you can enable SSH without having to rely on Pogo's service, though.

Personally, I had to put my plug in the DMZ in order to enable SSH, which is a bit crazy. It's EXTREMELY nice to see that maybe someday we'll have a one-click type tool for expanding the uses of the plugs!