WiTi Board and OpenWRT

UPDATE 20160107: Witi patches got into OpenWRT mainline, but there is SD breakage in mainline, so I still do not recommend using OpenWRT master/trunk for WiTi. As soon as it gets fixed, it should be good to go. Until that moment, I recommend using my branch.

Just got my WiTi Router board today. I’ve supported WiTi project on Indiegogo and was lucky enough to get it on time. It is manufactured by MqMaker. It’s really nice device for running OpenWRT. The problem is that support for WiTi is still not in the OpenWRT mainline.

Original author (manufacturer) did not follow git workflow, but added patches to specific OpenWRT version, so it’s hard to check changes against OpenWRT mainline. He actually sent pull request to the Github page of Openwrt, but did not know they don’t accept pull requests from there (they will be ignored). His changes are available through his pull request.

Nitroshift had nice initative of having it in the OpenWRT mainline, but so far he have managed to submit few patches to the official OpenWRT mailing list. You can check his fork of OpenWRT here. OpenWRT page of this router is available here and forum discussion is here.

Being security consciousness, I wanted to see the differences from the mainline and go through them myself. In that process, I have managed to make witi branch on github which is fork from official OpenWRT mainline. It is basically nitroshift patch, but with few critical fixes in order to boot up board normally (no need for serial cable). You can check differences between OpenWRT mainline (master) and my patches here.


Read more of this post

Identifying and exploiting rom-0 vulnerabilities

I will talk about simple, but dangerous vulnerability present on many network devices which are using RomPager Embedded Web Server. Attacker is able to get your ISP password, wireless password and other sensitive information by issuing single HTTP GET request to ‘/rom-0’ URI. Mentioned information disclosure is present in RomPager Embedded Web Server. Affected devices include ZTE, TP-Link, ZynOS, Huawei and many others. Vulnerability was published in 2014 (by looking at CVE), but I see lot of people don’t know about it: mainly because there was no hype about it and most of the popular vulnerability scanners failed in identifying it.

I still think that vulnerability is pretty dangerous: if administration web interface of router is exposed on Internet – that means that anyone on Internet is able to know your ISP password, wireless password and router password by single unauthorized http request. But attacker does not have to stop there – since it knows your router password, attacker can change router settings and redirect your network traffic as he likes (by changing route or DNS settings). Attacker can also expose your LAN to Internet or access your internal services or computers by abusing port forwarding features. So, I hope this vulnerability will get better treatment after this blog post and NSE script.

Read more of this post