Tenda MW3 Notes

tenda_mw3_notes.md

Tenda MW3 Notes

https://go.xurubin.com/tenda_mw3_notes

Inspired by https://github.com/latonita/tenda-reverse

Telent start process

gpio_ctrl (sub_401254) listens for reset button event ( observe the log messages it's run in terminal). If pressed for more than 3 seconds, send a message to netctrl via cfm post netctrl 62?op=4, which starts the telnetd process.

Telnet username: root Telnet password: base64(wl2g.ssid0.wpapsk_psk)

cfm setting for AP

cfm set dhcps.listnum 0
cfm set wl2g.mesh.enable 0
cfm set wl5g.mesh.enable 0
cfm set sys.schedulereboot.enable 0
cfm set sys.role 1
cfm set wl2g.ssid0.ssid "SSID"
cfm set wl2g.ssid0.wpapsk_psk passphrase
cfm set wl2g.ssid0.wpapsk_type psk2
cfm set wl5g.ssid0.ssid "SSID"
cfm set wl5g.ssid0.wpapsk_psk passphrase
cfm set wl5g.ssid0.wpapsk_type psk2

cmdsrv, confsrv & confcli

Redis infra for device-to-device control and settings. Among all devices, there is one runs the master redis-server (listening on localhost: 6379), and runs cmdsrv -l tcp://0.0.0.0:12598 -R tcp://127.0.0.1:6379. On all other devices, cmdsrv proxies to the master device cmdsrv -l tcp://0.0.0.0:12598 -r tcp://10.20.0.100:12598

cmdsrv can listen with plain redis protocol (-l) switch, or encrypted one (-L). We can run an additional plain redis cmdsrv instance and interact with it using redis-cli (either locally or from another computer).

Services (confsrv & confcli, execli & exesrv) use subscribe/publish on redis to communicate with each other (they always connect to redis via the local listening port of cmdsrv). confsrv uses key confctl_srv_key and confcli uses key confctl_cli_key. These can be monitored with redis-cli manually. For example, confsrv handles 'GrantNodeAdd' (in confctl_define_callback).

Configuration changes are always pushed from the master device to slave devices via the redis mechanism.

Potential attack surfaces

It seems possible to directly interact with the cmdsrv port 12598 as it's open on both master and slave devices. Need to reverse engineer the exact encryption/obfuscation protocol though. It will only interact with conf* as they are the only executables that call cmd_sub.

Inside GrantNodeAdd, there is apparently a trivial command injection vuln.

execli & exesrv

Use the same redis infra, execli executes arbitrary linux commands on devices running exesrv (linked togethther with the -k key argument):

server: exesrv -k aaa
client: execli -k aaa ls

Sadly exesrv is not started by default on these devices, so we can't easily exploit it out-of-box.

Opening Ports

On master:

netstat -anp | grep LISTEN
tcp        0      0 0.0.0.0:9000            0.0.0.0:*               LISTEN      28255/ucloud
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      28092/redis-server
tcp        0      0 127.0.0.1:10002         0.0.0.0:*               LISTEN      28255/ucloud
tcp        0      0 127.0.0.1:10003         0.0.0.0:*               LISTEN      28094/confsrv
tcp        0      0 127.0.0.1:10004         0.0.0.0:*               LISTEN      28094/confsrv
tcp        0      0 0.0.0.0:12598           0.0.0.0:*               LISTEN      28093/cmdsrv
tcp        0      0 10.20.0.100:23          0.0.0.0:*               LISTEN      6763/telnetd

On slave:

netstat -anp  | grep LISTEN
tcp        0      0 127.0.0.1:10003         0.0.0.0:*               LISTEN      31923/confcli
tcp        0      0 127.0.0.1:10004         0.0.0.0:*               LISTEN      31923/confcli
tcp        0      0 0.0.0.0:12598           0.0.0.0:*               LISTEN      683/cmdsrv
tcp        0      0 10.20.0.107:23          0.0.0.0:*               LISTEN      9626/telnetd

Some cfm settigs

sys.role=1.                    |	sys.role=4
wl2g.lock.channel=6.           |	wl2g.lock.channel=1
wl5g.ssid0.wpapsk_type=psk2.   | wl5g.ssid0.wpapsk_type=psk psk2
sys.schedulereboot.enable=1
dhcps.listnum=0