Finding the SqueezeBox Radio Default SSH Password

TLDR:

If SSH is enabled in the advanced settings, you can just login with the default password 1234.

Given the age of the installed SSH daemon, you will likely have to enable legacy cryptography like so:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc -oHostKeyAlgorithms=+ssh-dss  -l root <ip address>

Read on if you want to find out how I managed to crack the password, because I did not find the existing documentation on Squeezebox SSH access.

Prelude

I have a SqueezeBox Radio at home. It does a nice job of playing music from the internet and from my local network. The radio is clearly a linux device and it even listens on port 22. But I don't have the password and this always bummed me. I can stream music to the radio from my local network using the logitech media server software. When migrating server hardware, I looked around what to keep and noticed an updates folder in /var/lib/squeezeboxserver. It turns out, that when the radio asks for updates, the local server is in charge of getting the update file and providing it to the radio.

$ ls updates/
baby_7.7.3_r16676.bin  baby.version
$ ls -l updates/
-rw-r--r-- 1 freddy freddy 14771422 Sep  2 07:54 baby_7.7.3_r16676.bin
-rw-r--r-- 1 freddy freddy      139 Sep  2 07:53 baby.version
$ cat updates/baby.version
7.7.3 r16676
root@ec2mbubld01.idc.logitech.com Fri Feb 14 09:25:26 PST 2014
Base build revision:  bad080aecfec8226a4c1699b29d32cbba4ba396b
$ file updates/*
updates/baby_7.7.3_r16676.bin: Zip archive data, at least v2.0 to extract
updates/baby.version:          ASCII text

So, not knowing this, I had the firmware information on my disk all along? It is on.

Understanding the Firmware Update

This turned out very simple and accessible. Thanks Logitech! Unzipping yields multiple files, among them text files with metadata a zImage (~2.8M) and root.cramfs (13M). Alright, let's mount the root filesystem and take a look around

$ mount -o loop root.cramfs /mnt/
$ cat /etc/shadow
root:$1$Ubbe0.Et$fxA9h74pN/qDu12VAGZca1:13826:0:99999:7:::
nobody:*:14062:0:99999:7:::

Asking a search engine yields nothing, so we have to crack it ourselves. Running john on this takes less than a second.

The password is 1234

Logging in

Logging in is a bit harder than it seems. The radio uses ancient SSH, which offers outdated legacy ciphers:

ssh  192.168.x.y -l root
Unable to negotiate with 192.168.x.y port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

A quick search shows that we can re-enable the legacy crypto:

$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc -oHostKeyAlgorithms=+ssh-dss -l root <ip address>
root@192.168.x.y's password:

This network device is for authorized use only. Unauthorized or improper use
of this system may result in you hearing very bad music. If you do not consent
to these terms, LOG OFF IMMEDIATELY.

Ha, only joking. Now you have logged in feel free to change your root password
using the 'passwd' command. You can safely modify any of the files on this
system. A factory reset (press and hold add on power on) will remove all your
modifications and revert to the installed firmware.

Enjoy!

And that's it. Have fun with your full root privileges!


If you find a mistake in this article, you can submit a pull request on GitHub.

Other posts

  1. Modern solutions against cross-site attacks (Tue 26 November 2024)
  2. Prompt Injections and a demo (Wed 18 September 2024)
  3. The Mozilla Monument in San Francisco (Fri 05 July 2024)
  4. What is mixed content? (Sat 15 June 2024)
  5. How I got a new domain name (Sat 15 June 2024)
  6. How Firefox gives special permissions to some domains (Fri 02 February 2024)
  7. Examine Firefox Inter-Process Communication using JavaScript in 2023 (Mon 17 April 2023)
  8. Origins, Sites and other Terminologies (Sat 14 January 2023)
  9. Finding and Fixing DOM-based XSS with Static Analysis (Mon 02 January 2023)
  10. DOM Clobbering (Mon 12 December 2022)
  11. Neue Methoden für Cross-Origin Isolation: Resource, Opener & Embedding Policies mit COOP, COEP, CORP und CORB (Thu 10 November 2022)
  12. Reference Sheet for Principals in Mozilla Code (Mon 03 August 2020)
  13. Hardening Firefox against Injection Attacks – The Technical Details (Tue 07 July 2020)
  14. Understanding Web Security Checks in Firefox (Part 1) (Wed 10 June 2020)
  15. Help Test Firefox's built-in HTML Sanitizer to protect against UXSS bugs (Fri 06 December 2019)
  16. Remote Code Execution in Firefox beyond memory corruptions (Sun 29 September 2019)
  17. XSS in The Digital #ClimateStrike Widget (Mon 23 September 2019)
  18. Chrome switching the XSSAuditor to filter mode re-enables old attack (Fri 10 May 2019)
  19. Challenge Write-up: Subresource Integrity in Service Workers (Sat 25 March 2017)
  20. Finding the SqueezeBox Radio Default SSH Password (Fri 02 September 2016)
  21. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`) (Thu 02 June 2016)
  22. Firefox OS apps and beyond (Tue 12 April 2016)
  23. Teacher's Pinboard Write-up (Wed 02 December 2015)
  24. A CDN that can not XSS you: Using Subresource Integrity (Sun 19 July 2015)
  25. The Twitter Gazebo (Sat 18 July 2015)
  26. German Firefox 1.0 ad (OCR) (Sun 09 November 2014)
  27. My thoughts on Tor appliances (Tue 14 October 2014)
  28. Subresource Integrity (Sun 05 October 2014)
  29. Revoke App Permissions on Firefox OS (Sun 24 August 2014)
  30. (Self) XSS at Mozilla's internal Phonebook (Fri 23 May 2014)
  31. Tales of Python's Encoding (Mon 17 March 2014)
  32. On the X-Frame-Options Security Header (Thu 12 December 2013)
  33. html2dom (Tue 24 September 2013)
  34. Security Review: HTML sanitizer in Thunderbird (Mon 22 July 2013)
  35. Week 29 2013 (Sun 21 July 2013)
  36. The First Post (Tue 16 July 2013)
π