Okay.. so I used an old web GUI exploit for the 7.05 firmware to grab the new 'operator' account password for the 7.05b firmware (thank you random 7.05b router on the internet! ). No hardware required. I'll be posting a guide on how to do this soon as it will allow any Unifi user to grab their wifi, PPPoE and operator account password directly from the router without going through TM customer support.

It's an old security exploit I posted here a while ago and it will expose every router that's on the Unifi network with web management enabled to attacks (regardless if they have changed their pass or not) but TM has to learn how to secure shit properly or they're going to keep pushing this crap on us.

Ahhahahha

Anyway, here's the guide : http://unifi.athena.my/index.php?option=co...id=56&Itemid=68

Don't bother calling TM for any router password information anymore

EDIT : I posted about this config file exploit thing a few months ago. If you left their stupid remote management open, people can just visit http://your.unifi.ip.here:8080/config.bin, grab your config file and decrypt it. No amount of passwords will protect you from this.. you have to just turn the damn thing off which is why it was an extremely stupid idea in the first place to leave it open for 'troubleshooting'.

This post has been edited by rizvanrp: Oct 10 2010, 02:01 AM

It's correct.. 700 is a random value I chose when you perform the VLAN bridging so it doesn't conflict with any existing VLANs. It's also cool that they've added VLAN priority tagging to the firmware. I guess this was done to improve the IPTV performance. Still a POS firmware which they're not configuring properly IMO

I did give the pass directly, check the router security page where I list the operator passwords.. it's even in the screenshot for the password dumping guide At the moment it's 'h566UniFi' and it's the same for all new routers.. "unique" in the sense that they threw in a few numbers and uppercase letters but all routers use the same password. Another diff between 7.05b and 7.05 is that they've reconfigured the tr-069 settings to point to some TM server.

There's no point in them setting a new password now anyway. The config.bin download bypass vulnerability means everyone who has remote management enabled is going to get pwned. If you don't get pwned through the internet, you will get pwned through the LAN (if you're running some kinda public network la). TM never learns and at this point it's pretty obvious that whoever thought it was a brilliant idea to leave remote management enabled should be kept far away from decisions involving the DLINK router.

Out of 5000 IPs I scanned in the Unifi block, 3500+ had remote management enabled. I (or anyone, actually) could physical brick all these routers by pushing corrupted firmware onto them if I wanted to and cause some major trouble for TM. Since the config.bin can be downloaded without logging into the router, I guess it would make more sense to just hit every Unifi IP.. download their config.bin and harvest their Unifi passwords for future use.

I don't even have a 7.05b rev G2 router physically with me and was able to figure this out.. I'm guessing people who don't read Lowyat are screwed as long as TM continues down this path. Since they're forcing the hardware on us, imagine in 5-10 years when Unifi becomes the norm (with people running their TV services and phone lines through the fiber). One click from some guy who hates Malaysia/TM and the entire network goes down for a few days. They had the opportunity the fix all these issues with this new revision and firmware release but they didn't.

The messed up part is that it's hardware which they're placing on your home network which they're locking you out of.. and it has all these vulnerabilities due to backward ass policies they want to implement and it opens your network to attacks. They can just cooperate and tell users the damn password but instead they choose to make it hard and tell you things like 'its confidential'. Even moarrr confidential than the files random people are pulling off your NAS while you're asleep after reconfiguring your port forwarding settings

And they underestimate us. I think they assumed that I guessed the password the first time because it was so simple, so they decided to make it more complex. The PS3 can be hacked using a USB based buffer overflow, Apple products can be jailbroken.. yet to TM, the mighty orange TM DIR-615 password cannot be cracked using any form of technology known to man at this point. The person who decided to lock down the router should have his head checked.

This post has been edited by rizvanrp: Oct 10 2010, 08:25 AM

Exactly, it's totally pointless IMO :3 The security tradeoff is not worth the risk.

Anyway this is my final shot at the config.bin exploit before I go to bed. Spent the last 4 hours working on it (reversing the config.bin packing/unpacking process, coding, bleh..) and realized something silly.. the config.bin isn't even encrypted. It only uses gzip compression with some dummy data thrown in :3 It's a compressed XML file !



Don't even have to use RouterPassView anymore.. I made an unpacker in PHP which neatly displays all the needed info after you upload your config.bin to the site

Didn't er 76radius mention this like back in May or something =x? ZTE VDSL2 is the only BTU that can perform port based VLAN tagging on its own AFAIK

If your linksys which is running dd-wrt rejects the usage of a vlan interface (using eth0.500 as WAN port assignment and the setting reverts), it's probably running on a Broadcom chipset and you won't be able to do a direct fiber <-> router WAN port link with it.

Idk, same user/pass for every BTU.. full access to every dir-615 on the Unifi network due to the config.bin exploit.. and an ISP which is encouraging every user to leave it all open (even to the extent of sending out mass SMSes telling everyone to leave it enabled). You guess lar

This post has been edited by rizvanrp: Oct 11 2010, 05:37 PM

40ms+ is normal if you're on VDSL2 due to interleaving, which is why people recommend getting fiber if possible. The speed is also not 100% symmetrical with VDSL.. in many cases your max upload will be lower than your download.

This post has been edited by rizvanrp: Oct 12 2010, 08:23 PM

I don't know if they will willingly reinstall for you. Definitely will be some charge and it really just depends on your location. I think if you're on a low floor of a high rise building you can opt for fiber in some cases but if you're high up definitely not.

The way they've configured their VDSL2 setup means you'll always have 40ms+ latency at minimum whereas its about 1-3ms for fiber users. Ask them lar

@solarmystic

They've upgraded it to revision G2 now. Those of you who have fried routers will probably be getting a rev G2 unit with firmware 7.05b as a replacement. Hopefully they have a lower failure rate than the previous revision. But it's true that the DIR-615 was a bad choice by TM. Extremely short hardware life + very poorly coded firmware with tons of exploits = epic failure.

@yaofong

Get a Mikrotik RB250GS/RB750

Yeah but keep one existing copper line as a backup. Unifi VOIP is susceptible to attacks over the network + power failure.

No it's not, lol

This is normal traffic for servers with SSH running on TCP port 22. It's usually just a couple of bruteforce attempts on 'root' or some standardized user:pass file which they use. This traffic originates from skiddies or botnet drones looking for easy targets to compromise. Anyway, if you have SSHd running and need it to be accessible from the WAN side for some reason.. be sure to switch its port number to something non standard (over port 1024 would be best).

http://www.utorrent.com/testport?port=22

If it says the port is open then your SSHd is still exposed to the WAN side


1) wget http://175.136.2xx.x:8080/config.bin
2) Unpack collected config.bin's using gzip decompression + extract PPPoE user/pass combo
3) Identify username -> company relationships and access LAN as necessary
4) Thanks Unifi remote management!

EDIT:

Dear rexio,

You know what.. I posted a long ass reply but I decided to remove it. This is probably going to be the last post from me for a while. I've been here from v1 and like others who already have their network setup nicely (radius, moogle, etc.), there's no real need to post here anymore. There's nothing for me to gain or lose and that was always the case. I've spent countless hours working on this in my free time, never got anything except personal satisfaction out of it and I honestly do not care what people think about me. If you can read and utilize my unifi.athena.my guides to secure your network then turn on me when I talk about the reason those guides exist, there's nothing I can say that will convince you that I mean no harm.

So cya.

This post has been edited by rizvanrp: Oct 22 2010, 09:09 PM

Rexio,

I deleted the post because I wanted to avoid a flame war with you.

No, other ISPs give you a router with a single admin account and allow you to change the password at any given time. They do not create a secondary admin account on the router and lock you out of it. They also do not force you to enable remote management from the WAN side or supply you with routers where the firmware itself is not secure. And finally, they do not push PPPoE traffic over a bloody tagged VLAN to basically narrow down your hardware choices to their own custom router.

I'm sorry about this. I actually totally forgot it was you who PMed me about it because I get tons of PMs per day about Unifi. That's right everybody, rexio was the first to crack the password. He used RouterPassView. That's right guys, he dragged his config.bin into the program and it told him the operator password.

He has mad skills. I could not possibly beat him, even if I disassembled RouterPassView in ollydbg and reverse engineered the decompression routine.



Nope, rexio is best rexio and deserves all the credit.

You want to know another reason I didn't credit you? It's because I didn't get the bloody password from you. I sent you a second PM 20 minutes before you replied to me and told you NEVERMIND BECAUSE I ALREADY FOUND IT MYSELF. You had a 7.05b sitting in front of your lap, I had to port scan the bloody network, ID a firmware 7.05b unit, extract the config.bin and figure out how to decompress it.



I was kind enough to say thank you even though you did not even send me a reply or do anything except inhale oxygen.





You want to know the biggest joke of all rexio?

You're bloody spoonfed. Every single technical thing you knew about the service when you applied for Unifi was because of the effort I put in since March. You come in here, you ask me why I didn't credit you for shit (I honestly forgot it was you), you talk big about Google-ing a bloody program. You tell me not to write guides that assist people in breaking into routers and counter me by saying default combo's are well known since Streamyx days. It's standard for exploit disclosure that you describe why the exploit occurs and provide a proof of concept.

Everyone has been able to break into Unifi routers since I wrote the guide on how to secure it. If you secured your router using my guide, you would know that other router are still accessible using the 'telekom' password so what the f**k do you want from me really?

And you're asking me.. which company doesn't have a firewall? I've done over 10 Unifibiz 10/20mbps installs, how many have you done rexio? What knowledge do you have regarding corporate firewall integration with Unifi from a previous system?

You want credit? Where's my credit for letting you know about the existence of a secondary account in the first place?

Rexio, you obviously cannot use your own brain. You want me to write guides to help people secure their router. I tell them the operator password is 'telekom' or whatever, to log in and untick this and that. You honestly think that the 'bad guys' wont use the same login on other peoples routers? You tell me about Linux noobs.. this is like logic failure if they can't make that connection.

I was angry at you because you want me to practice security through obscurity. Keeping quiet == keeping it safe. That's bloody stupid and is basically what TM is doing. And now I'm just plain pissed because you're demanding credit for something you didn't do. Something you could not have done without my help in the first place. Seriously la, use your head.

There are many people on this forum who are more knowledgeable than me + I respect. If you scroll back a few threads I had an interesting discussion with someone regarding Unifi VDSL latency vs Unifi FTTH, he's one of them That's why I like coming to LYN forums because you have knowledgeable people in almost every field.

I've said it from day one, I'm just here to help people. I pay the server rent for the Unifi dc++ hub so that we have a local p2p network to fall back onto in the event there's some international b/w cap, I write the guides to assist people in getting the best out of the service. I earn RM0/mth from all this and I don't expect people to pay me anyway. I'm a uni student and all of this comes from my allowance and free time.

However, what I cannot stand are assholes. I understand that I've talked about this exploit a lot and my purpose is merely to educate new Unifi users about it so they don't fall prey to other assholes on the Internet. You suddenly decided to confront me like a jerk and accuse me of doing a lot of things, so I treated you likewise. I've never once bragged about what I've accomplished because it's just part of the learning process for me.. but you were just asking for it tonight.

Moral of the story? Don't be a d*ck.

This post has been edited by rizvanrp: Oct 23 2010, 01:02 AM

@ archonixm/billytong

No offense but I don't want to address this issue anymore. I refuse to believe that by writing that wget comment as a joke (in response to the idiotic comment made in that news article) I've somehow compromised the security of routers on the network more than when I disclosed the vulnerability back in May. Infact, I posted a command that would not even work in an actual shell. If you believe that by only posting the current 'operator' passwords you've somehow prevented skiddies from doing what I described, you're absolutely wrong.

That's just how computer security works. It's fair game for both the vendors and the attackers when an exploit is published. The fact remains that TM/DLINK have had months to patch this/change their policy and they have not.

I'm not taking the blame for anything especially after the person who started all this shit basically revealed his butthurt 'I is get no credits for something I didnt do' mentality in his following posts. I'm not saying he didn't have a point, I'm just saying he screwed up his chance to have a mature discussion with me when he revealed that side of himself. I removed my initial post because I knew this is what it would come to but he decided to basically draft a MS Word document using a cached copy just to spite me.

If you have used any of my guides on the athena site, do not expect me to believe that it has never occurred to you an attacker could use that information to break into routers which are not secure. You can link an incomplete 'wget' command to a whole series of possible attacks but stuff like this did not occur to you when you were reading my earlier guides? Let me reiterate here : I posted a full technical guide back in May which contains the master password for all DIR-615 G1 routers so that you can secure your own router (you agreed that this is what I should do).. and you don't think people will use that information to attack other users? Do you now realize why I'm like "OH GOD MY HEAD ASPLODE" over here?

That's honestly why I'm questioning your logic and intentions here. I mentioned this back in May that it was a difficult decision.. but as Moogle put it, I felt the benefits of revealing such information far outweighed the bad (especially in a system where you are forced to use the buggy software/hardware). So I ask, where was all your paranoia then? There wasn't any; some troll just decided to vent his anger at me for not crediting him and you took the bait.

I have never written and published a tool to automate attacks on the Unifi network. I have never even described how to perform the attacks I said were possible on compromised routers (turning them into zombies/open proxies/whatever). Doing that would indeed be unnecessary and not beneficial to anyone. I'm a Unifi user myself and I understand your concerns. However from the security analyst point of view, many of you can't put yourselves in my shoes.

I cannot teach people how to protect themselves if I do not tell them what they're going up against. Do you know how many users ignored my advice to disable the remote management option because TM sent out an SMS 'encouraging' people to re-enable it? They assumed that they were safe simply because they changed the operator password however because I didn't make it a point to tell them that the remote management option was also an attack vector, they left it open as per TM's advice.

But at the end of the day, the sheer hypocrisy of using my knowledge to protect yourself then attacking me for distributing that information in the first place.. frankly just astounds me. Start asking TM why they're allowing such a terrible policy to continue instead of blaming me for exposing all of their problems (to your benefit). You're asking me to do the impossible here for the most trivial of reasons, it's starting to become annoying and I hope you understand that.

I apologize if I offended anyone but that's basically what I'm feeling myself after reading these posts. It feels like I'm shouting at the world because they fail to notice something that is right in front of their eyes.

---

So using the logic some of you are condemning me with, with this single post alone, rexio has basically :

1) Made it known that Unifi is capped by the account type and there is no physical cap
2) That you will need to disconnect another user in order to use his account as your own
3) Made it clear that the attacker will use the typical Malaysian slang to express his delight in breaking into your router
4) Described in detail that TM will reset the session if you dual log as only one session is allowed at a time

In an attempt to prove a point to me, he has literally written a bloody blueprint here on port scanning the Unifi IP range, breaking into routers, extracting passwords, destroying the victims router and using his details to re-enter the Unifi network. I never described anything about breaking into the routers to increase your speed nor the effects of that in my post. I touched on how an IP address can be re-linked to its original account. I wonder how does rexio know this anyway because his 'layman' sounds pretty experienced *hint hint*.

Most of you who have read every post here from v1-v7 know that nobody has ever posted such an in depth guide like this on 'increasing' your speed. We should TOTALLY add this on the frontpage as rexio's guide to illegally 'upgrading' your Unifi package speed. /s

Seriously, this is why I think all of this is a bloody joke.. and you want to support this moron's cause?

FYI, I've edited this post like 10 times and I'm actually laughing my ass off at 6.30am on a Sunday morning because I just noticed this.

@ Acrisius

TM is constantly adding new IP ranges for Unifi and not all of them have their reverse DNS pointer set yet .. so that's not really a sure fire way to figure out if someone is on Unifi

This post has been edited by rizvanrp: Oct 24 2010, 06:44 AM