Skip to content

Files and a scanner for pentesting GL.iNET IoT devices

Notifications You must be signed in to change notification settings

Legoclones/pentesting-GL.iNET

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GL.iNET Firmware

GL.iNET is a company that produces several different routers, WiFi Access Points, and other WiFi/IoT devices. All of these devices use the OpenWRT Linux Operating System, which is built upon BusyBox and designed specifically for use by IoT devices and vendors. On top of the OpenWRT OS is custom GL.iNET firmware used by most (if not all) of their devices. This firmware provides a web GUI for users to utilize while setting up their networks, gateways, or other IoT functions.

GL.iNET has an official GitHub account with several repositories, and has made their software much more available over the past years. In addition to what's hosted on GitHub, they've released clean-looking API documentation for their 4.x firmware, an intuitive interface to download firmware based on model name, and an AWS S3 bucket to access all of their software in one spot. I have taken the liberty of extracting three versions of the firmware (3.201, 3.215, and 3.216) from a device I own.

Firmware Details and Deployment

GL.iNET's firmware is deployed through a lightweight package manager native to OpenWRT called opkg. Curl requests are made to the fw.gl-inet.com website, where the latest version is identified and downloaded, if needed. When the latest package is downloaded, one of the files inside is a squashfs file that contains the entire directory structure of the machine (including /bin executables, /etc config files, etc.). This directory structure and all files inside are found in the rom-3.201/ and rom-3.215/ folders in this repo.

While most of the contents of these rom folders is copied from OpenWRT, there are some changes made to it for GL.iNET devices. Specifically, a number of packages that are normally available on OpenWRT through the opkg manager but not installed by default are included in the firmware package, such as dropbear (a lightweight SSH client) and lighttpd (a lightweight web server). Most notable, however, are the inclusion of a custom website located in /www, and custom C executables and libraries in /usr/bin and /usr/lib.

The webserver located in /www and launched on startup uses Vue as the front-end framework, and all information is populated by an API. The API (instead of being programmed in PHP or NodeJS) is actually written as a C binary called api, found in /www. In addition, a web interface called LuCI (which is the official web interface for OpenWRT) is also included in GL.iNET devices, and binaries for this interface are found in /www/cgi-bin. In earlier versions of GL.iNET firmware (such as 3.201), LuCI was NOT included by default, and could be optionally installed. However, in the latest version as of this writing (3.216), LuCI is installed by default.

Informational Findings

  • Default passwords
    • LAN SSID Key - goodlife
    • Web GUI Admin Password - none, this must be created upon initial setup (and can't be goodlife)
      • The password must be at least 5 characters long, no other requirements.
  • The folder /var is symlinked to /tmp, which means that any information that would normally go in /var (such as log files in /var/log) is erased upon reboot since /tmp is always wiped upon reboot.
  • Router-specific information such as model name, factory-issued MAC address, serial number, timezone, language, and the hashed admin web GUI password is found at /etc/config/glconfig.
  • As of January 2023 (time of writing), the initial firmware version shipped with the AR-750S-Ext router was 3.201, and the latest available version is 3.216. Other models may be shipped with different initial versions. Firmware versions 4.x is currently in beta testing and only available for a few, limited models.
  • GL.iNET devices have no concept of least privilege. All processes run as root, and the root password for the device is the same as the web GUI admin password. This means that certain vulnerabilities are much more impactful; for example, arbitrary file write is practically the same as remote code execution (RCE) since you can overwrite /etc/shadow with your own hash, or write to a cronjob or other script that is executed often (like /www/api), etc.

Dependency Vulnerabilities

All GL.iNET devices with 3.x firmware have many outdated dependencies, which are not intended to be updated. Instead, customers are advised to update to the GL.iNET 4.x firmware version which is the latest version. Dependency versions (with links to vulnerability pages) for 3.x firmware:

Scanner

I created a Python script to act as a scanner for all GL.iNET devices that will query various unauthenticated endpoints and print out information specific to this instance. Depending on the configuration and version, information such as firmware version, language, MAC address, and even SSID and password may be available.

To use the scanner, run the command python3 scanner.py <domain/IP>, such as python3 scanner.py 192.168.8.1.

Note - this has only been tested on devices with firmware versions 3.x, not any 4.x devices

About

Files and a scanner for pentesting GL.iNET IoT devices

Resources

Stars

Watchers

Forks