mfi
device
name | value |
---|---|
model | mPower mFi 3-port Power Wifi |
firmware | 2.0.8 |
features | BusyBox |
vulnerabilities | HTTP plain text authentication, easily guessable root password, telnet/ssh services running by default |
digging
nmap
from nmap -PN -p 1-65535 172.16.42.233
, we get:
Starting Nmap 5.21 ( http://nmap.org ) at 2017-02-19 15:04 PST
Nmap scan report for mFi.lan (172.16.42.233)
Host is up (0.060s latency).
Not shown: 961 closed ports, 32 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0)
23/tcp open telnet Linksys WRT54G telnetd (Tomato firmware)
53/tcp open tcpwrapped
80/tcp open http lighttpd 1.4.31
443/tcp open ssl/http lighttpd 1.4.31
8080/tcp open http lighttpd 1.4.31
49152/tcp open upnp Portable SDK for UPnP devices 1.6.18 (kernel 2.6.32.29; UPnP 1.0)
Service Info: OS: Linux; Device: WAP
ssh and telnet? 3 different lighttpd endpoints?
sniffing
after finally completing the initial configuration and getting the device on my network, i was presented with a username/password prompt. there was no indication about what realm the authentication was going against, and none of the configured passwords worked.
a quick google search indicated that the default username/password was ubnt
/ ubnt
- this was not included in the manual.
watching the packets:
POST /login.cgi HTTP/1.1
Host: 172.16.42.233
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
------WebKitFormBoundaryLR15GqkcNTCm9LZP
Content-Disposition: form-data; name="uri"
/
------WebKitFormBoundaryLR15GqkcNTCm9LZP
Content-Disposition: form-data; name="username"
ubnt
------WebKitFormBoundaryLR15GqkcNTCm9LZP
Content-Disposition: form-data; name="password"
ubnt
------WebKitFormBoundaryLR15GqkcNTCm9LZP
Content-Disposition: form-data; name="Submit"
Login
------WebKitFormBoundaryLR15GqkcNTCm9LZP--
HTTP/1.1 302 Found
Location: /
Set-cookie: ui_language=en_US; expires=Tuesday, 19-Jan-38 03:14:07 GMT
Content-type: text/html
Transfer-Encoding: chunked
Date: Thu, 01 Jan 1970 00:44:18 GMT
Server: lighttpd/1.4.31
0
yep, passing credentials in the clear, not even usig HTTP BasicAuth.
once we're authenticated, calls to /mfi/sensors.cgi?t=<0.nnn>
started returning JSON:
GET /mfi/sensors.cgi?t=0.48375444280878943 HTTP/1.1
Host: 172.16.42.233
Connection: keep-alive
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://172.16.42.233/power
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: AIROS_SESSIONID=<redacted>>; ui_language=en_US
HTTP/1.1 200 OK
Expires: Sun, 01 Jan 1984 08:00:00 GMT
Cache-Control: must-revalidate
Content-type: application/json
Transfer-Encoding: chunked
Date: Thu, 01 Jan 1970 00:44:26 GMT
Server: lighttpd/1.4.31
1b2
{
"sensors": [{
"port": 1,
"output": 1,
"power": 0.0,
"energy": 0.0,
"enabled": 0,
"current": 0.0,
"voltage": 121.904592752,
"powerfactor": 0.0,
"relay": 1,
"lock": 0
}, {
"port": 2,
"output": 1,
"power": 0.0,
"energy": 0.0,
"enabled": 0,
"current": 0.0,
"voltage": 122.275886535,
"powerfactor": 0.0,
"relay": 1,
"lock": 0
}, {
"port": 3,
"output": 1,
"power": 0.0,
"energy": 0.0,
"enabled": 0,
"current": 0.0,
"voltage": 122.129747152,
"powerfactor": 0.0,
"relay": 1,
"lock": 0
}],
"status": "success"
}0
filesystem
there's no way they use the same password for the web interface that they do for telnet/ssh:
$ telnet 172.16.42.233
Trying 172.16.42.233...
Connected to mfi.lan.
Escape character is '^]'.
mFid64ce7 login: ubnt
Password:
BusyBox v1.11.2 (2013-11-11 20:08:57 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
MF.v2.0.8#
oh. they do. and it's a root shell.
MF.v2.0.8# cat /etc/passwd
ubnt:KQiBBQ7dx8sx2:0:0:Administrator:/etc/persistent:/bin/sh
no /etc/shadow
, but since the hash is present, 10 minutes on a GCP instance confirmed what we already knew.
MF.v2.0.8# cat cfg/mgmt
mgmt.is_default=true
mgmt.cloud_name=foo
mgmt.cloud_pass=37b51d194a7513e45b56f6524f2d51f2
when getting the device on the network initially, the username/password foo
/bar
was used, and sure enough:
$ echo -n 'bar' | md5sum
37b51d194a7513e45b56f6524f2d51f2 -
not that big of a deal if you use a strong password, but at this point, you can rest assured that many MD5 hashes are known and only a google search away.
MF.v2.0.8# ps w
...
428 ubnt 1140 S /sbin/hotplug2 --persistent --set-rules-file /usr/etc/hotplug2.rules
430 ubnt 1972 S < /bin/watchdog -t 1 /dev/watchdog
1070 ubnt 1940 S /bin/dropbear -F -d /var/run/dropbear_dss_host_key -r /var/run/dropbear_rsa_host_key -p 22
1072 ubnt 1976 S /bin/syslogd -n -O /var/log/messages -l 8 -s 200 -b 0
1074 ubnt 1288 S /bin/dnsmasq -k -C /etc/dnsmasq.ath1.conf -x /var/run/dnsmasq.ath1.pid
1077 ubnt 1988 S /bin/telnetd -F -p 23
1078 ubnt 1984 S /bin/crond -f -S
11441 ubnt 1996 S /sbin/udhcpc -f -i ath0 -V ubnt -A 10 -s /etc/udhcpc/udhcpc -p /var/run/udhcpc.ath0.pid -h mFi
13977 ubnt 6432 S /bin/lighttpd -D -f /etc/lighttpd.conf
...