# mfi - [device](#device) - [digging](#digging) - [nmap](#nmap) - [sniffing](#sniffing) - [filesystem](#filesystem) - [firmware](#firmware) ## device name | value ----------------|----- model | `mPower mFi 3-port Power Wifi` firmware | `2.0.8` features | `BusyBox` vulnerabilities | HTTP plain text authentication, easily guessable root password, telnet/ssh services running by default ## digging ### nmap from `nmap -PN -p 1-65535 172.16.42.233`, we get: ``` Starting Nmap 5.21 ( http://nmap.org ) at 2017-02-19 15:04 PST Nmap scan report for mFi.lan (172.16.42.233) Host is up (0.060s latency). Not shown: 961 closed ports, 32 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0) 23/tcp open telnet Linksys WRT54G telnetd (Tomato firmware) 53/tcp open tcpwrapped 80/tcp open http lighttpd 1.4.31 443/tcp open ssl/http lighttpd 1.4.31 8080/tcp open http lighttpd 1.4.31 49152/tcp open upnp Portable SDK for UPnP devices 1.6.18 (kernel 2.6.32.29; UPnP 1.0) Service Info: OS: Linux; Device: WAP ``` ssh and telnet? 3 different lighttpd endpoints? ### sniffing after finally completing the initial configuration and getting the device on my network, i was presented with a username/password prompt. there was no indication about what realm the authentication was going against, and none of the configured passwords worked. a quick google search indicated that the default username/password was `ubnt` / `ubnt` - this was not included in the manual. watching the packets: ``` POST /login.cgi HTTP/1.1 Host: 172.16.42.233 Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 ------WebKitFormBoundaryLR15GqkcNTCm9LZP Content-Disposition: form-data; name="uri" / ------WebKitFormBoundaryLR15GqkcNTCm9LZP Content-Disposition: form-data; name="username" ubnt ------WebKitFormBoundaryLR15GqkcNTCm9LZP Content-Disposition: form-data; name="password" ubnt ------WebKitFormBoundaryLR15GqkcNTCm9LZP Content-Disposition: form-data; name="Submit" Login ------WebKitFormBoundaryLR15GqkcNTCm9LZP-- HTTP/1.1 302 Found Location: / Set-cookie: ui_language=en_US; expires=Tuesday, 19-Jan-38 03:14:07 GMT Content-type: text/html Transfer-Encoding: chunked Date: Thu, 01 Jan 1970 00:44:18 GMT Server: lighttpd/1.4.31 0 ``` yep, passing credentials in the clear, not even usig HTTP BasicAuth. once we're authenticated, calls to `/mfi/sensors.cgi?t=<0.nnn>` started returning JSON: ``` GET /mfi/sensors.cgi?t=0.48375444280878943 HTTP/1.1 Host: 172.16.42.233 Connection: keep-alive Accept: */* X-Requested-With: XMLHttpRequest Referer: http://172.16.42.233/power Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: AIROS_SESSIONID=>; ui_language=en_US HTTP/1.1 200 OK Expires: Sun, 01 Jan 1984 08:00:00 GMT Cache-Control: must-revalidate Content-type: application/json Transfer-Encoding: chunked Date: Thu, 01 Jan 1970 00:44:26 GMT Server: lighttpd/1.4.31 1b2 { "sensors": [{ "port": 1, "output": 1, "power": 0.0, "energy": 0.0, "enabled": 0, "current": 0.0, "voltage": 121.904592752, "powerfactor": 0.0, "relay": 1, "lock": 0 }, { "port": 2, "output": 1, "power": 0.0, "energy": 0.0, "enabled": 0, "current": 0.0, "voltage": 122.275886535, "powerfactor": 0.0, "relay": 1, "lock": 0 }, { "port": 3, "output": 1, "power": 0.0, "energy": 0.0, "enabled": 0, "current": 0.0, "voltage": 122.129747152, "powerfactor": 0.0, "relay": 1, "lock": 0 }], "status": "success" }0 ``` ### filesystem there's no way they use the same password for the web interface that they do for telnet/ssh: ``` $ telnet 172.16.42.233 Trying 172.16.42.233... Connected to mfi.lan. Escape character is '^]'. mFid64ce7 login: ubnt Password: BusyBox v1.11.2 (2013-11-11 20:08:57 PST) built-in shell (ash) Enter 'help' for a list of built-in commands. MF.v2.0.8# ``` oh. they do. and it's a root shell. ``` MF.v2.0.8# cat /etc/passwd ubnt:KQiBBQ7dx8sx2:0:0:Administrator:/etc/persistent:/bin/sh ``` no `/etc/shadow`, but since the hash is present, 10 minutes on a GCP instance confirmed what we already knew. ``` MF.v2.0.8# cat cfg/mgmt mgmt.is_default=true mgmt.cloud_name=foo mgmt.cloud_pass=37b51d194a7513e45b56f6524f2d51f2 ``` when getting the device on the network initially, the username/password `foo`/`bar` was used, and sure enough: ``` $ echo -n 'bar' | md5sum 37b51d194a7513e45b56f6524f2d51f2 - ``` not that big of a deal if you use a strong password, but at this point, you can rest assured that many MD5 hashes are known and only a google search away. ``` MF.v2.0.8# ps w ... 428 ubnt 1140 S /sbin/hotplug2 --persistent --set-rules-file /usr/etc/hotplug2.rules 430 ubnt 1972 S < /bin/watchdog -t 1 /dev/watchdog 1070 ubnt 1940 S /bin/dropbear -F -d /var/run/dropbear_dss_host_key -r /var/run/dropbear_rsa_host_key -p 22 1072 ubnt 1976 S /bin/syslogd -n -O /var/log/messages -l 8 -s 200 -b 0 1074 ubnt 1288 S /bin/dnsmasq -k -C /etc/dnsmasq.ath1.conf -x /var/run/dnsmasq.ath1.pid 1077 ubnt 1988 S /bin/telnetd -F -p 23 1078 ubnt 1984 S /bin/crond -f -S 11441 ubnt 1996 S /sbin/udhcpc -f -i ath0 -V ubnt -A 10 -s /etc/udhcpc/udhcpc -p /var/run/udhcpc.ath0.pid -h mFi 13977 ubnt 6432 S /bin/lighttpd -D -f /etc/lighttpd.conf ... ```