After the first post regarding unifi, I was doing some experiment with my unifi network setup. As thing goes along , I had to admit thing turn out very scary after found out this.
First of all :
1. remote management is enabled by default.
– this also enabled the following
i. web management on default port 80
ii. SSH at default port 22
iii. telnet at default port 23.
2. User’s being given the “admin” account detail on the router.
at first , I was assuming this is the only account available..
Later , I found out that there is another account exist
with higher roles admin account .. ~ .”operator”
which is having access to SSH , telnet and also web interface.
– if using “admin” account , you can only disable the “web management – remote admin”
while “SSH and TELNET “.. remained invisible and enabled.. !
you can change the password of “admin” to whatever but the user “operator”
still having the original password set by “telekom”
– it can be either your username in reverse order . or “telekom”.
3. WIFI ESSID is your unifi username !!
– so anyone who drive thru your home, and did a scan.. one can easily get the your username . ~ i.e user@unifi.
4. the HTTP password is stored in plain text .. !
– is not a MD5 or whatsoever.
– just SSH/telnet to the router and
ssh -l operator 192.168.0.1 # cat /var/etc/httpasswd operator:xxxxx admin:xxxxx # cd /var/etc/ # cat passwd operator:xxxxxxxx:0:0:operator:/:/bin/sh # cat stunnel.conf cert = /etc/stunnel_cert.pem key = /etc/stunnel.key pid = /var/run/stunnel.pid setuid = 0 setgid = 0 debug = 7 output = /var/log/stunnel.log [https] accept = 443 connect = 127.0.0.1:80
5. wah ! brilliant … it treating whatever connected via 443 as 127.0.0.1
so anyone having unifi at home.. auth for once.. can login to any other unifi router running on HTTPS mode without any password.
– which is enabled by default for unibiz type !!
6. It has something called “TR-069” which did phoning TM every 60 days or so,
for config repository / sync ??
– and was having publishing the content on this router as well.
7. the Busybox inside the router is having tftpd client .
which can talk to another tftpd server to send out/in file from/to the router .. !!
* note : to send out file from this router.. it must have the file exist on destination first.. which could be done by simply touch the file on destination before transfer with the following command.
# tftp -p 192.168.0.10 -l -r /text.t2xt
Hmmm.. mangling around ..
# cat config.sh #!/bin/sh image_sign=`cat /etc/config/image_sign` case "$1" in start) echo "Mounting proc and var ..." mount -t proc none /proc mount -t ramfs ramfs /var mkdir -p /var/etc /var/log /var/run /var/state /var/tmp /var/etc/ppp /var/etc/config /var/dnrd /var/etc/iproute2 echo -n > /var/etc/resolv.conf echo -n > /var/TZ echo "127.0.0.1 hgw" > /var/hosts #Added by Lin-Siong Pui for SSH, 20090406 mount -t devpts devpts /dev/pts # if no PIN, generate one #pin=`devdata get -e pin` #[ "$pin" = "" ] && devdata set -e pin=`wps -g` # prepare db... echo "Start xmldb ..." > /dev/console xmldb -n $image_sign -t > /dev/console & sleep 1 #Modify by Lin-Siong Pui for alpha falsh agent, 2009-06-22 #/etc/scripts/misc/profile.sh get /etc/scripts/misc/profile.sh init /etc/templates/timezone.sh set /etc/templates/logs.sh sleep 1 logger -p 192.1 "SYS:001" # bring up network devices ifconfig lo up env_wan=`devdata get -e wanmac` [ "$env_wan" = "" ] && env_wan="00:00:FF:FF:FF:xx" ifconfig eth2 hw ether $env_wan up rgdb -i -s /runtime/wan/inf:1/mac "$env_wan" PANIC=`rgdb -i -g /runtime/func/panic_reboot` [ "$PANIC" != "" ] && echo "$PANIC" > /proc/sys/kernel/panic TIMEOUT=`rgdb -g /nat/general/tcpidletimeout` [ "$TIMEOUT" = "" ] && TIMEOUT=7200 && rgdb -s /nat/general/tcpidletimeout $TIMEOUT echo "$TIMEOUT" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established # Setup VLANs vconfig set_name_type DEV_PLUS_VID_NO_PAD > /dev/console # Disable temporarily, need to find a good location to activate web deamon. # Start up LAN interface & httpd # ifconfig br0 0.0.0.0 up > /dev/console # /etc/templates/webs.sh start > /dev/console mkdir /var/etc/iproute2 chmod 0755 /var/etc/iproute2 echo "" >> /var/etc/iproute2/rt_tables echo "" >> /var/etc/iproute2/rt_scopes echo "" >> /var/etc/iproute2/rt_realms echo "" >> /var/etc/iproute2/rt_protos echo "" >> /var/etc/iproute2/rt_dsfield chmod 0644 /var/etc/iproute2/* ;; stop) umount /tmp umount /proc umount /var ;; esac # # cd /etc/ # ls tr069_key.pem templates snmp passwd group config tr069_cert.pem stunnel_cert.pem scripts iproute2 ethertypes TZ tr069_ca.pem stunnel.key resolv.conf init.d dropbear RT3052_AP_2T2R_V1_1.bin tlogs stunnel.conf ppp hosts defnodes #
Huh.. it had the default firmware inside too !!
in case you need it for whatever case..
one thing that could be done before completely replace this router with the new one.
re-assign the VLAN ID to another bridge interface such as “WAN Connection 3” .
and setup custom router from there..
p/s : .. yes, might need to re-word the previous blog post as … F**k “telekom”.. !!
Leave a Comment