GreenPacket WiMax Walktrought
Today I'd like to talk about a recently deep experience with my home router originally developed by GreenPacket ( http://www.greenpacket.com/ ).
This router model is an indoor WiMax DV-360 with firmware date 2011 (v2.10.14-g1.0.6.1).
From a LAN point of view this device has a lot of open ports/services, like:
- 22: Dropbear SSH
- 23: telnetd
- 80: lighttp
- 443
- plus eigth open ports...
Unfortunately all of these ports are also enabled on WAN view; so I decided to write this article to help anyone like me which want to mitigate the risks.
Dropbear: stop talking to anyone!
The easy way I found to start listening dropbear only on lan is to manually edit /etc/init.d/dropbearBecause this is an embedded device We can't easily edit on the fly scripts...so We need first to make a backup on our local machine, make the changes and then download it via "wget".
The only change I've done is at line 15.
From:
dropbear -p 22To:
dropbear -p <router_lan_ip_address>:22
Then just run:
shell
# cd /etc/init.d/ # chmod +x dropbear # /etc/init.d/dropbear reloadAnyway if there are previously active session on WAN side I noticed that the session still remain.
So You need to manually kill processes:
# ps aux
# kill <pid> (where dropbear -p 22)
Telnet what? Bye bye
The easy way is to simply stop telnetd daemon via:# /etc/init.d/telnetd stop
Anyway this is not a permanent way to do this, I'm not able to find systemctl, service, update-rc and so on...
lighttp...what could be wrong? CVE-2018-14067 - Unauth RCE
Doing an assessment on the web panel I'm able to find an unauthenticated RCE via Command Injection.After sending details to mitre.org I notified that a similar vuln are already submitted CVE-2017-9980.
But this is a different model (DX-350) with different firmware (v2.8.9.5-g1.4.8); so my vuln was successfully accepted.
So at this point also lighttp should be exposed only on LAN side.
To do this You need to copy on local machine /etc/conf/lighttpd.conf, change line 1 like follow:
From:
var.lan=""To:
var.lan="<router_lan_ip_address>"
Now download via wget the file and replace the one on /etc/conf; in this way you should be safe.
Finally you need to reload lighttp to be sure that the service will listen on LAN.
Note:
Details about CVE or exploit are intentionally omitted.
HTTPS
From a security point of view this port could be open.Useful Commands
shell
# netstat -tunel #Display listening interface:port # netstat -aln | grep ":22 " | grep -v STREAM | grep -v 127.0.0.1 #Diplay SSH Connections