this one was too easy
This commit is contained in:
parent
9a5335fa31
commit
1d3e40f562
@ -9,6 +9,7 @@ name | description | url
|
||||
[CUJO](http://trycujo.com) | purposeful MiTM device for internet 'security' | [cujo](cujo)
|
||||
[LG webOS](http://www.lge.com) | HTTP phone home is never a good idea | [lg-webOS](lg_webOS)
|
||||
[HooToo TripMate series](http://www.hootoo.com) | there are lots of problems, some end up at root access | [hootoo](hootoo)
|
||||
[Ubiquity mFi mPower](https://www.ubnt.com/mfi/mpower/) | root access trivially obtained, credential leakage, unnecessary services exposed | [mFi](mfi)
|
||||
[Philips Hue](http://www.meethue.com) | device communication insecure, Ruby library/CLI to control via REST HTTP | [hued](https://github.com/chorankates/hued)
|
||||
[RAV FileHub](http://www.ravpower.com/ravpower-rp-wd02-filehub-6000mah-power-bank.html) | a HooToo by any other name.. but with a twist | [rav-filehub](rav-filehub)
|
||||
[RevoLabs flx UC1000](http://www.revolabs.com/products/conference-phones/wired-conference-phones/flx-uc-phones/flx-uc-1000-speakerphone) | more than just brute forcing the PIN | [revolabs-flx_uc_1000](revolabs-flx_uc_1000)
|
||||
|
210
mfi/README.md
Normal file
210
mfi/README.md
Normal file
@ -0,0 +1,210 @@
|
||||
# mfi
|
||||
|
||||
- [device](#device)
|
||||
- [digging](#digging)
|
||||
- [nmap](#nmap)
|
||||
- [sniffing](#sniffing)
|
||||
- [filesystem](#filesystem)
|
||||
- [firmware](#firmware)
|
||||
|
||||
## device
|
||||
name | value
|
||||
----------------|-----
|
||||
model | `mPower mFi 3-port Power Wifi`
|
||||
firmware | `2.0.8`
|
||||
features | `BusyBox`
|
||||
vulnerabilities | HTTP plain text authentication, easily guessable root password, telnet/ssh services running by default
|
||||
|
||||
## digging
|
||||
|
||||
### nmap
|
||||
|
||||
from `nmap -PN -p 1-65535 172.16.42.233`, we get:
|
||||
|
||||
```
|
||||
Starting Nmap 5.21 ( http://nmap.org ) at 2017-02-19 15:04 PST
|
||||
Nmap scan report for mFi.lan (172.16.42.233)
|
||||
Host is up (0.060s latency).
|
||||
Not shown: 961 closed ports, 32 filtered ports
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0)
|
||||
23/tcp open telnet Linksys WRT54G telnetd (Tomato firmware)
|
||||
53/tcp open tcpwrapped
|
||||
80/tcp open http lighttpd 1.4.31
|
||||
443/tcp open ssl/http lighttpd 1.4.31
|
||||
8080/tcp open http lighttpd 1.4.31
|
||||
49152/tcp open upnp Portable SDK for UPnP devices 1.6.18 (kernel 2.6.32.29; UPnP 1.0)
|
||||
Service Info: OS: Linux; Device: WAP
|
||||
```
|
||||
|
||||
ssh and telnet?
|
||||
3 different lighttpd endpoints?
|
||||
|
||||
### sniffing
|
||||
|
||||
after finally completing the initial configuration and getting the device on my network, i was presented with a username/password prompt. there was no indication about what realm the authentication was going against, and none of the configured passwords worked.
|
||||
|
||||
a quick google search indicated that the default username/password was `ubnt` / `ubnt` - this was not included in the manual.
|
||||
|
||||
watching the packets:
|
||||
|
||||
```
|
||||
POST /login.cgi HTTP/1.1
|
||||
Host: 172.16.42.233
|
||||
Connection: keep-alive
|
||||
Cache-Control: max-age=0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Encoding: gzip, deflate, sdch
|
||||
Accept-Language: en-US,en;q=0.8
|
||||
|
||||
------WebKitFormBoundaryLR15GqkcNTCm9LZP
|
||||
Content-Disposition: form-data; name="uri"
|
||||
|
||||
/
|
||||
------WebKitFormBoundaryLR15GqkcNTCm9LZP
|
||||
Content-Disposition: form-data; name="username"
|
||||
|
||||
ubnt
|
||||
------WebKitFormBoundaryLR15GqkcNTCm9LZP
|
||||
Content-Disposition: form-data; name="password"
|
||||
|
||||
ubnt
|
||||
------WebKitFormBoundaryLR15GqkcNTCm9LZP
|
||||
Content-Disposition: form-data; name="Submit"
|
||||
|
||||
Login
|
||||
------WebKitFormBoundaryLR15GqkcNTCm9LZP--
|
||||
|
||||
HTTP/1.1 302 Found
|
||||
Location: /
|
||||
Set-cookie: ui_language=en_US; expires=Tuesday, 19-Jan-38 03:14:07 GMT
|
||||
Content-type: text/html
|
||||
Transfer-Encoding: chunked
|
||||
Date: Thu, 01 Jan 1970 00:44:18 GMT
|
||||
Server: lighttpd/1.4.31
|
||||
|
||||
0
|
||||
```
|
||||
|
||||
yep, passing credentials in the clear, not even usig HTTP BasicAuth.
|
||||
|
||||
once we're authenticated, calls to `/mfi/sensors.cgi?t=<0.nnn>` started returning JSON:
|
||||
|
||||
```
|
||||
GET /mfi/sensors.cgi?t=0.48375444280878943 HTTP/1.1
|
||||
Host: 172.16.42.233
|
||||
Connection: keep-alive
|
||||
Accept: */*
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: http://172.16.42.233/power
|
||||
Accept-Encoding: gzip, deflate, sdch
|
||||
Accept-Language: en-US,en;q=0.8
|
||||
Cookie: AIROS_SESSIONID=<redacted>>; ui_language=en_US
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Expires: Sun, 01 Jan 1984 08:00:00 GMT
|
||||
Cache-Control: must-revalidate
|
||||
Content-type: application/json
|
||||
Transfer-Encoding: chunked
|
||||
Date: Thu, 01 Jan 1970 00:44:26 GMT
|
||||
Server: lighttpd/1.4.31
|
||||
|
||||
1b2
|
||||
{
|
||||
"sensors": [{
|
||||
"port": 1,
|
||||
"output": 1,
|
||||
"power": 0.0,
|
||||
"energy": 0.0,
|
||||
"enabled": 0,
|
||||
"current": 0.0,
|
||||
"voltage": 121.904592752,
|
||||
"powerfactor": 0.0,
|
||||
"relay": 1,
|
||||
"lock": 0
|
||||
}, {
|
||||
"port": 2,
|
||||
"output": 1,
|
||||
"power": 0.0,
|
||||
"energy": 0.0,
|
||||
"enabled": 0,
|
||||
"current": 0.0,
|
||||
"voltage": 122.275886535,
|
||||
"powerfactor": 0.0,
|
||||
"relay": 1,
|
||||
"lock": 0
|
||||
}, {
|
||||
"port": 3,
|
||||
"output": 1,
|
||||
"power": 0.0,
|
||||
"energy": 0.0,
|
||||
"enabled": 0,
|
||||
"current": 0.0,
|
||||
"voltage": 122.129747152,
|
||||
"powerfactor": 0.0,
|
||||
"relay": 1,
|
||||
"lock": 0
|
||||
}],
|
||||
"status": "success"
|
||||
}0
|
||||
```
|
||||
|
||||
### filesystem
|
||||
|
||||
there's no way they use the same password for the web interface that they do for telnet/ssh:
|
||||
|
||||
```
|
||||
$ telnet 172.16.42.233
|
||||
Trying 172.16.42.233...
|
||||
Connected to mfi.lan.
|
||||
Escape character is '^]'.
|
||||
mFid64ce7 login: ubnt
|
||||
Password:
|
||||
|
||||
|
||||
BusyBox v1.11.2 (2013-11-11 20:08:57 PST) built-in shell (ash)
|
||||
Enter 'help' for a list of built-in commands.
|
||||
|
||||
MF.v2.0.8#
|
||||
```
|
||||
|
||||
oh. they do. and it's a root shell.
|
||||
|
||||
```
|
||||
MF.v2.0.8# cat /etc/passwd
|
||||
ubnt:KQiBBQ7dx8sx2:0:0:Administrator:/etc/persistent:/bin/sh
|
||||
```
|
||||
|
||||
no `/etc/shadow`, but since the hash is present, 10 minutes on a GCP instance confirmed what we already knew.
|
||||
|
||||
```
|
||||
MF.v2.0.8# cat cfg/mgmt
|
||||
mgmt.is_default=true
|
||||
mgmt.cloud_name=foo
|
||||
mgmt.cloud_pass=37b51d194a7513e45b56f6524f2d51f2
|
||||
```
|
||||
|
||||
when getting the device on the network initially, the username/password `foo`/`bar` was used, and sure enough:
|
||||
|
||||
```
|
||||
$ echo -n 'bar' | md5sum
|
||||
37b51d194a7513e45b56f6524f2d51f2 -
|
||||
```
|
||||
|
||||
not that big of a deal if you use a strong password, but at this point, you can rest assured that many MD5 hashes are known and only a google search away.
|
||||
|
||||
```
|
||||
MF.v2.0.8# ps w
|
||||
...
|
||||
428 ubnt 1140 S /sbin/hotplug2 --persistent --set-rules-file /usr/etc/hotplug2.rules
|
||||
430 ubnt 1972 S < /bin/watchdog -t 1 /dev/watchdog
|
||||
1070 ubnt 1940 S /bin/dropbear -F -d /var/run/dropbear_dss_host_key -r /var/run/dropbear_rsa_host_key -p 22
|
||||
1072 ubnt 1976 S /bin/syslogd -n -O /var/log/messages -l 8 -s 200 -b 0
|
||||
1074 ubnt 1288 S /bin/dnsmasq -k -C /etc/dnsmasq.ath1.conf -x /var/run/dnsmasq.ath1.pid
|
||||
1077 ubnt 1988 S /bin/telnetd -F -p 23
|
||||
1078 ubnt 1984 S /bin/crond -f -S
|
||||
11441 ubnt 1996 S /sbin/udhcpc -f -i ath0 -V ubnt -A 10 -s /etc/udhcpc/udhcpc -p /var/run/udhcpc.ath0.pid -h mFi
|
||||
13977 ubnt 6432 S /bin/lighttpd -D -f /etc/lighttpd.conf
|
||||
...
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user