GreenPacket WiMax Walktrought

Today I'd like to talk about a recently deep experience with my home router originally developed by GreenPacket ( ).

This router model is an indoor WiMax DV-360 with firmware date 2011 (v2.10.14-g1.0.6.1).

From a LAN point of view this device has a lot of open ports/services, like:

  • 22: Dropbear SSH
  • 23: telnetd
  • 80: lighttp
  • 443
  • plus eigth open ports...
Having tried to enable a static IP address my concern is about how lot of these ports are open from WAN side.
Unfortunately all of these ports are also enabled on WAN view; so I decided to write this article to help anyone like me which want to mitigate the risks.

Dropbear: stop talking to anyone!

The easy way I found to start listening dropbear only on lan is to manually edit /etc/init.d/dropbear
Because this is an embedded device We can't easily edit on the fly We need first to make a backup on our local machine, make the changes and then download it via "wget".
The only change I've done is at line 15.

                 dropbear -p 22 
                 dropbear -p <router_lan_ip_address>:22 

Then just run:
# cd /etc/init.d/ 
# chmod +x dropbear 
# /etc/init.d/dropbear reload 
Anyway if there are previously active session on WAN side I noticed that the session still remain.

So You need to manually kill processes:
# ps aux
# kill <pid> (where dropbear -p 22)

Telnet what? Bye bye

The easy way is to simply stop telnetd daemon via:
# /etc/init.d/telnetd stop

Anyway this is not a permanent way to do this, I'm not able to find systemctl, service, update-rc and so on...

lighttp...what could be wrong? CVE-2018-14067 - Unauth RCE

Doing an assessment on the web panel I'm able to find an unauthenticated RCE via Command Injection.
After sending details to I notified that a similar vuln are already submitted CVE-2017-9980.
But this is a different model (DX-350) with different firmware (v2.8.9.5-g1.4.8); so my vuln was successfully accepted.

So at this point also lighttp should be exposed only on LAN side.
To do this You need to copy on local machine /etc/conf/lighttpd.conf, change line 1 like follow:


Now download via wget the file and replace the one on /etc/conf; in this way you should be safe.

Finally you need to reload lighttp to be sure that the service will listen on LAN.

Details about CVE or exploit are intentionally omitted.


From a security point of view this port could be open.

Useful Commands
# netstat -tunel #Display listening interface:port 
# netstat -aln | grep ":22  " | grep -v STREAM | grep -v #Diplay SSH Connections