GreenPacket WiMax Walktrought
Today I'd like to talk about a recently deep experience with my home router originally developed by GreenPacket ( http://www.greenpacket.com/ ).
This router model is an indoor WiMax DV-360 with firmware date 2011 (v2.10.14-g18.104.22.168).
From a LAN point of view this device has a lot of open ports/services, like:
- 22: Dropbear SSH
- 23: telnetd
- 80: lighttp
- plus eigth open ports...
Unfortunately all of these ports are also enabled on WAN view; so I decided to write this article to help anyone like me which want to mitigate the risks.
Dropbear: stop talking to anyone!The easy way I found to start listening dropbear only on lan is to manually edit /etc/init.d/dropbear
Because this is an embedded device We can't easily edit on the fly scripts...so We need first to make a backup on our local machine, make the changes and then download it via "wget".
The only change I've done is at line 15.
dropbear -p 22To:
dropbear -p <router_lan_ip_address>:22
Then just run:
# cd /etc/init.d/ # chmod +x dropbear # /etc/init.d/dropbear reloadAnyway if there are previously active session on WAN side I noticed that the session still remain.
So You need to manually kill processes:
# ps aux
# kill <pid> (where dropbear -p 22)
Telnet what? Bye byeThe easy way is to simply stop telnetd daemon via:
# /etc/init.d/telnetd stop
Anyway this is not a permanent way to do this, I'm not able to find systemctl, service, update-rc and so on...
lighttp...what could be wrong? CVE-2018-14067 - Unauth RCEDoing an assessment on the web panel I'm able to find an unauthenticated RCE via Command Injection.
After sending details to mitre.org I notified that a similar vuln are already submitted CVE-2017-9980.
But this is a different model (DX-350) with different firmware (v22.214.171.124-g1.4.8); so my vuln was successfully accepted.
So at this point also lighttp should be exposed only on LAN side.
To do this You need to copy on local machine /etc/conf/lighttpd.conf, change line 1 like follow:
Now download via wget the file and replace the one on /etc/conf; in this way you should be safe.
Finally you need to reload lighttp to be sure that the service will listen on LAN.
Details about CVE or exploit are intentionally omitted.
HTTPSFrom a security point of view this port could be open.
# netstat -tunel #Display listening interface:port # netstat -aln | grep ":22 " | grep -v STREAM | grep -v 127.0.0.1 #Diplay SSH Connections