www.shellcode.it

GreenPacket WiMax Walktrought

Today I'd like to talk about a recently deep experience with my home router originally developed by GreenPacket ( http://www.greenpacket.com/ ).

This router model is an indoor WiMax DV-360 with firmware date 2011 (v2.10.14-g1.0.6.1).

From a LAN point of view this device has a lot of open ports/services, like:

22: Dropbear SSH
23: telnetd
80: lighttp
443
plus eigth open ports...

Having tried to enable a static IP address my concern is about how lot of these ports are open from WAN side.
Unfortunately all of these ports are also enabled on WAN view; so I decided to write this article to help anyone like me which want to mitigate the risks.

Dropbear: stop talking to anyone!

The easy way I found to start listening dropbear only on lan is to manually edit /etc/init.d/dropbear
Because this is an embedded device We can't easily edit on the fly scripts...so We need first to make a backup on our local machine, make the changes and then download it via "wget".
The only change I've done is at line 15.

From:

                 dropbear -p 22

To:

                 dropbear -p <router_lan_ip_address>:22

Then just run:

 shell

# cd /etc/init.d/ 
# chmod +x dropbear 
# /etc/init.d/dropbear reload

Anyway if there are previously active session on WAN side I noticed that the session still remain.

So You need to manually kill processes:
# ps aux
# kill <pid> (where dropbear -p 22)

Telnet what? Bye bye

The easy way is to simply stop telnetd daemon via:
# /etc/init.d/telnetd stop

Anyway this is not a permanent way to do this, I'm not able to find systemctl, service, update-rc and so on...

lighttp...what could be wrong? CVE-2018-14067 - Unauth RCE

Doing an assessment on the web panel I'm able to find an unauthenticated RCE via Command Injection.
After sending details to mitre.org I notified that a similar vuln are already submitted CVE-2017-9980.
But this is a different model (DX-350) with different firmware (v2.8.9.5-g1.4.8); so my vuln was successfully accepted.

So at this point also lighttp should be exposed only on LAN side.
To do this You need to copy on local machine /etc/conf/lighttpd.conf, change line 1 like follow:

From:

 var.lan=""

To:

 var.lan="<router_lan_ip_address>"

Now download via wget the file and replace the one on /etc/conf; in this way you should be safe.

Finally you need to reload lighttp to be sure that the service will listen on LAN.

Note:
Details about CVE or exploit are intentionally omitted.

HTTPS

From a security point of view this port could be open.

Useful Commands

 shell

# netstat -tunel #Display listening interface:port 
# netstat -aln | grep ":22  " | grep -v STREAM | grep -v 127.0.0.1 #Diplay SSH Connections