Tuesday, September 30, 2014
 

Router Password – Yet Another Problem

Recently, I had to replace my wireless router, LinkSys WRT54G2, with DLink DSL-2730U.  Obviously, when you replace router, you’ll have to re-setup configuration and that’s what I started with. DLink router configuration was seamless and since it has support for in-built ADSL modem, I could remove my good old beetel ADSL modem.

Configuration for ADSL is absolutely simple steps  if you have required information from your ISP. It worked immediately and I got connected through ethernet cable. After which I tried to configure wireless setup and tried to connect via wi-fi.  Instead all I got was

Connecting to DLink DSL Router

Whoa! It started with “Connecting… ” message and then the above and finally, it failed. Surprise surprise, I did not see any error.  Windows event log checked, router logs checked. Nothing anywhere. Now keep guessing.

Thinking that I probably made mistake while configuration,  I put the router back in factory default mode and restarted the configuration manually.  While doing so,  noticed that DLink configuration UI had absolutely no feedback mechanism to the user. You keep configuring and try to save. It just saves and keeps you in the same page. Whether the save succeeded or not, there was no message, indicator or any sort of thing.  May be they can improve things here.

Now, back to wireless configuration.  I sort of guessed that it may be related to security issue.  I tried running the wireless in no-authentication mechanism and it worked.

DLink DSL -2730U Wireless configuration

Re-enabled WPA2 with pre-shared key(wireless password), and it failed again.   Clueless, and with Google also not helping me here,  I was running out of ideas.

Not sure why, I thought of changing the password to a very simple one and tried with that. It WORKED!  What happened here?

Thinking that I would have changed something else, I reset the password to the previous one and of course, it failed.   Now it was pretty much clear that password is an issue here. (How can you guess the password requirement when there is nothing in the UI/manual?)

The reason, password had a “$” (dollar) symbol. Yes, you read it right! The actual issue was when your password for wireless configuration has “$” symbol, it simply fails. Remove the “$” symbol and it works.

For the record, I noted this issue on DLink – DSL-2730U with Firmware version IN_1.02.

DLink UI

 

 

 

 

Revisiting Disable JavaScript Execution From Console

Recent changes done by Chrome team have made my previous technique for disabling JavaScript execution redundant. The post was referenced in StackOverflow after which it was reported as a bug in Chromium. I have my reservation on bug description and what they actually fixed but that’s for a later post.

Before we proceed further, a DISCLAIMER – any technique that we may learn in this post may get deprecated by browser as they evolve and hence the code should never be considered for production environment. It is good to know what you can do in JavaScript world however things, which are not within the capacity of application, should never be controlled by web application. You must leave them to browser to handle it at their level best.

Done reading disclaimer? Ready to dive? Read on.

Stop! If you have not read my previous post yet, please go and read it first.

With recent changes, chrome now does following thing –

  1. It renamed the property to __commandLineAPI instead of _commandLineAPI (additional underscore at the beginning, seriously?)
  2. Moved the property hosting object from window.console to window.
  3. Property gets created only during the console execution. So whether you start typing in for code completion feature or execution feature, the property gets created and at the end of it, it gets deleted too.
  4. It now also checks that if the property has already been attached to window, if so, it won’t create it and directly execute the code without using the “with” scope mechanism. (so, don’t bother changing the code from previous code to align with new name and hosting container. It won’t work)

With all of the above, it becomes very difficult to break this type of logic since it involves existence check for property, runtime creation/deletion of property and then execution within the scope of property. Also, all the variables are setup within closure so adding a trap for them also won’t work. In short, they made it very difficult.

However considering the capability provided by JavaScript, I found a place where I can setup a hook and can still stop the execution. (What were you thinking? I mentioned it already that they made it difficult, not impossible.)

I noticed that they are preparing the expression typed/pasted by user , adding prefix/suffix as necessary and passing it to evaluate function via call method. So if you override call function and look for string containing “__commandLineAPI” ? Let’s see the code

( function(){
	var __x = Function.prototype.call;
        Function.prototype.call = function( thisArg ){
             if( arguments[1] && arguments[1].indexOf &&
                 arguments[1].indexOf( "with (__commandLineAPI" ) !== -1 ) {
			throw "Sorry, Execution via Console has been disabled!";
             }
 
	     __x.apply( this, arguments );
        };
})();

With the above in web application, try opening console and start typing any JavaScript code. Notice the error message!

Having described way to disable console yet again, I still recommend not to use such technique cause of multiple reason. Foremost being controlling browser behavior is not something which a web application can do and hence should refrain from doing so.

 
 
 

 

Find Me!
View Kunal Kumar's profile on LinkedIn