From 1d3e40f562d6c792ebe3987646f147cca16b8638 Mon Sep 17 00:00:00 2001
From: Conor Horan-Kates <conor.code@gmail.com>
Date: Mon, 20 Feb 2017 11:52:29 -0800
Subject: [PATCH] this one was too easy

---
 README.md     |   1 +
 mfi/README.md | 210 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)
 create mode 100644 mfi/README.md

diff --git a/README.md b/README.md
index a6f93fc..d3cc50e 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@ name | description | url
 [CUJO](http://trycujo.com) | purposeful MiTM device for internet 'security' | [cujo](cujo)
 [LG webOS](http://www.lge.com) | HTTP phone home is never a good idea | [lg-webOS](lg_webOS)
 [HooToo TripMate series](http://www.hootoo.com) | there are lots of problems, some end up at root access | [hootoo](hootoo)
+[Ubiquity mFi mPower](https://www.ubnt.com/mfi/mpower/) | root access trivially obtained, credential leakage, unnecessary services exposed | [mFi](mfi)
 [Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)
 [RAV FileHub](http://www.ravpower.com/ravpower-rp-wd02-filehub-6000mah-power-bank.html) | a HooToo by any other name.. but with a twist | [rav-filehub](rav-filehub)
 [RevoLabs flx UC1000](http://www.revolabs.com/products/conference-phones/wired-conference-phones/flx-uc-phones/flx-uc-1000-speakerphone) | more than just brute forcing the PIN | [revolabs-flx_uc_1000](revolabs-flx_uc_1000)
diff --git a/mfi/README.md b/mfi/README.md
new file mode 100644
index 0000000..df03322
--- /dev/null
+++ b/mfi/README.md
@@ -0,0 +1,210 @@
+# mfi
+
+- [device](#device)
+- [digging](#digging)
+  - [nmap](#nmap)
+  - [sniffing](#sniffing)
+  - [filesystem](#filesystem)
+- [firmware](#firmware)
+
+## device
+name            | value
+----------------|-----
+model           | `mPower mFi 3-port Power Wifi`
+firmware        | `2.0.8`
+features        | `BusyBox`
+vulnerabilities | HTTP plain text authentication, easily guessable root password, telnet/ssh services running by default
+
+## digging
+
+### nmap
+
+from `nmap -PN -p 1-65535 172.16.42.233`, we get:
+
+```
+Starting Nmap 5.21 ( http://nmap.org ) at 2017-02-19 15:04 PST
+Nmap scan report for mFi.lan (172.16.42.233)
+Host is up (0.060s latency).
+Not shown: 961 closed ports, 32 filtered ports
+PORT      STATE SERVICE    VERSION
+22/tcp    open  ssh        Dropbear sshd 0.51 (protocol 2.0)
+23/tcp    open  telnet     Linksys WRT54G telnetd (Tomato firmware)
+53/tcp    open  tcpwrapped
+80/tcp    open  http       lighttpd 1.4.31
+443/tcp   open  ssl/http   lighttpd 1.4.31
+8080/tcp  open  http       lighttpd 1.4.31
+49152/tcp open  upnp       Portable SDK for UPnP devices 1.6.18 (kernel 2.6.32.29; UPnP 1.0)
+Service Info: OS: Linux; Device: WAP
+```
+
+ssh and telnet?
+3 different lighttpd endpoints?
+
+### sniffing
+
+after finally completing the initial configuration and getting the device on my network, i was presented with a username/password prompt. there was no indication about what realm the authentication was going against, and none of the configured passwords worked.
+
+a quick google search indicated that the default username/password was `ubnt` / `ubnt` - this was not included in the manual.
+
+watching the packets:
+
+```
+POST /login.cgi HTTP/1.1
+Host: 172.16.42.233
+Connection: keep-alive
+Cache-Control: max-age=0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, sdch
+Accept-Language: en-US,en;q=0.8
+
+------WebKitFormBoundaryLR15GqkcNTCm9LZP
+Content-Disposition: form-data; name="uri"
+
+/
+------WebKitFormBoundaryLR15GqkcNTCm9LZP
+Content-Disposition: form-data; name="username"
+
+ubnt
+------WebKitFormBoundaryLR15GqkcNTCm9LZP
+Content-Disposition: form-data; name="password"
+
+ubnt
+------WebKitFormBoundaryLR15GqkcNTCm9LZP
+Content-Disposition: form-data; name="Submit"
+
+Login
+------WebKitFormBoundaryLR15GqkcNTCm9LZP--
+
+HTTP/1.1 302 Found
+Location: /
+Set-cookie: ui_language=en_US; expires=Tuesday, 19-Jan-38 03:14:07 GMT
+Content-type: text/html
+Transfer-Encoding: chunked
+Date: Thu, 01 Jan 1970 00:44:18 GMT
+Server: lighttpd/1.4.31
+
+0
+```
+
+yep, passing credentials in the clear, not even usig HTTP BasicAuth.
+
+once we're authenticated, calls to `/mfi/sensors.cgi?t=<0.nnn>` started returning JSON:
+
+```
+GET /mfi/sensors.cgi?t=0.48375444280878943 HTTP/1.1
+Host: 172.16.42.233
+Connection: keep-alive
+Accept: */*
+X-Requested-With: XMLHttpRequest
+Referer: http://172.16.42.233/power
+Accept-Encoding: gzip, deflate, sdch
+Accept-Language: en-US,en;q=0.8
+Cookie: AIROS_SESSIONID=<redacted>>; ui_language=en_US
+
+HTTP/1.1 200 OK
+Expires: Sun, 01 Jan 1984 08:00:00 GMT
+Cache-Control: must-revalidate
+Content-type: application/json
+Transfer-Encoding: chunked
+Date: Thu, 01 Jan 1970 00:44:26 GMT
+Server: lighttpd/1.4.31
+
+1b2
+{
+    "sensors": [{
+        "port": 1,
+        "output": 1,
+        "power": 0.0,
+        "energy": 0.0,
+        "enabled": 0,
+        "current": 0.0,
+        "voltage": 121.904592752,
+        "powerfactor": 0.0,
+        "relay": 1,
+        "lock": 0
+    }, {
+        "port": 2,
+        "output": 1,
+        "power": 0.0,
+        "energy": 0.0,
+        "enabled": 0,
+        "current": 0.0,
+        "voltage": 122.275886535,
+        "powerfactor": 0.0,
+        "relay": 1,
+        "lock": 0
+    }, {
+        "port": 3,
+        "output": 1,
+        "power": 0.0,
+        "energy": 0.0,
+        "enabled": 0,
+        "current": 0.0,
+        "voltage": 122.129747152,
+        "powerfactor": 0.0,
+        "relay": 1,
+        "lock": 0
+    }],
+    "status": "success"
+}0
+```
+
+### filesystem
+
+there's no way they use the same password for the web interface that they do for telnet/ssh:
+
+```
+$ telnet 172.16.42.233
+Trying 172.16.42.233...
+Connected to mfi.lan.
+Escape character is '^]'.
+mFid64ce7 login: ubnt
+Password:
+
+
+BusyBox v1.11.2 (2013-11-11 20:08:57 PST) built-in shell (ash)
+Enter 'help' for a list of built-in commands.
+
+MF.v2.0.8#
+```
+
+oh. they do. and it's a root shell.
+
+```
+MF.v2.0.8# cat /etc/passwd
+ubnt:KQiBBQ7dx8sx2:0:0:Administrator:/etc/persistent:/bin/sh
+```
+
+no `/etc/shadow`, but since the hash is present, 10 minutes on a GCP instance confirmed what we already knew.
+
+```
+MF.v2.0.8# cat cfg/mgmt
+mgmt.is_default=true
+mgmt.cloud_name=foo
+mgmt.cloud_pass=37b51d194a7513e45b56f6524f2d51f2
+```
+
+when getting the device on the network initially, the username/password `foo`/`bar` was used, and sure enough:
+
+```
+$ echo -n 'bar' | md5sum
+37b51d194a7513e45b56f6524f2d51f2  -
+```
+
+not that big of a deal if you use a strong password, but at this point, you can rest assured that many MD5 hashes are known and only a google search away.
+
+```
+MF.v2.0.8# ps w
+...
+  428 ubnt      1140 S    /sbin/hotplug2 --persistent --set-rules-file /usr/etc/hotplug2.rules
+  430 ubnt      1972 S <  /bin/watchdog -t 1 /dev/watchdog
+ 1070 ubnt      1940 S    /bin/dropbear -F -d /var/run/dropbear_dss_host_key -r /var/run/dropbear_rsa_host_key -p 22
+ 1072 ubnt      1976 S    /bin/syslogd -n -O /var/log/messages -l 8 -s 200 -b 0
+ 1074 ubnt      1288 S    /bin/dnsmasq -k -C /etc/dnsmasq.ath1.conf -x /var/run/dnsmasq.ath1.pid
+ 1077 ubnt      1988 S    /bin/telnetd -F -p 23
+ 1078 ubnt      1984 S    /bin/crond -f -S
+11441 ubnt      1996 S    /sbin/udhcpc -f -i ath0 -V ubnt -A 10 -s /etc/udhcpc/udhcpc -p /var/run/udhcpc.ath0.pid -h mFi
+13977 ubnt      6432 S    /bin/lighttpd -D -f /etc/lighttpd.conf
+...
+```
+