Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Member
Posts: 235
Registered: ‎09-10-2010
Kudos: 15

AirOS and Security: DUMP of configuration files with TFTP or other thing

AirOS and Security: DUMP of configuration files with TFTP or other thing
If someone has physical access to one of our radios will be able to access any of the configuration files? For example, system.cfg with TFTP, reset, etc
Member
Posts: 235
Registered: ‎09-10-2010
Kudos: 15

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

AirOS and Security: DUMP of configuration files with TFTP or other thing
If someone has physical access to one of our radios will be able to access any of the configuration files? For example, system.cfg with TFTP, reset, etc

Please, any help ...
This is very important. Not only for us.
If the TFTP can download a file; this would jeopardize the security of the entire network, for example the question of secret of WPA2, user password of radio, etc saved on configurations files.
SuperUser
Posts: 4,925
Registered: ‎12-03-2009
Kudos: 1932
Solutions: 112

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Well... I heard a rumor that the sun is going to be blue tomorrow....
Member
Posts: 235
Registered: ‎09-10-2010
Kudos: 15

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Well... I heard a rumor that the sun is going to be blue tomorrow....

Friend,
my question is very serious and, if for you it is simple, please do a technical exhibition on the subject, for example how the tftp works on AirOS, which your version, if it is compiled in a special way, if it is set only for accept firmware upload, etc ... this would be very useful, would be the proper use of the forum!
But if on the other hand we must refer ...etc! But do not think this important resource should be used in this way. I also have no more nor age nor time to remind the teenagers years!
SuperUser
Posts: 4,925
Registered: ‎12-03-2009
Kudos: 1932
Solutions: 112

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

You are posting rumors without a shred of evidence.
Please post some evidence or steps to reproduce.
Member
Posts: 235
Registered: ‎09-10-2010
Kudos: 15

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

You are posting rumors without a shred of evidence.
Please post some evidence or steps to reproduce.

I have not posted a rumor!
I posted a QUESTION!
I made a simple question that did not require necessarily your involvement, although you are welcome to work together!
Please
do not attend posts that you do not want to!
And YES this is a subject that matters because it involves security and the protocol tftp by default accepts file stream in a bidirectional manner: "put" and "get".
I'm here to learn, please not disturb!
Member
Posts: 235
Registered: ‎09-10-2010
Kudos: 15

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Oh My God!
Do not want to talk about rumors!
Just asked a question SIMPLE and DIRECT!

It is possible, using the tool TFTP, or otherwise, without credentials (username and password) is able to copy the config files? Only this!

It was simple! Would be expected only simple answers, answers like:

- No. I do not know how!

-No. Never since TFTP does not support download.


Is it possible that no one knows about this?
SuperUser
Posts: 16,235
Registered: ‎06-23-2010
Kudos: 5115
Solutions: 76

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

You could try it.

-- Sent and mangled via autocorrect, courtesy of my iPhone
Member
Posts: 235
Registered: ‎09-10-2010
Kudos: 15

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

You could try it.


-- Sent and mangled via autocorrect, courtesy of my iPhone


Are you kidding friend?
Of course I've tried, it happens that the TFTP does not list files!
I'm not looking for a way to do this, I'm looking if there is possibility to do this!

Why so much trouble with something as simple as a "yes" or "no" or "do not know"?

I'm talking about how the TFTP is implemented in AirOS, TFTP has the possibility to download, then how the configuration files are protected? The implementation of the TFTP for AirOS ensures this?
SuperUser
Posts: 4,925
Registered: ‎12-03-2009
Kudos: 1932
Solutions: 112

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Ok buddy..
This is a community support forum and I and the others are not an official UBNT staff.
If you think there is merit, email support@ubnt.com
We have jokingly replied to you because of how obsurd the rumor seems.
I'm done with your game. If it is a real security bug, support@ubnt.com will want to hear about it.
Member
Posts: 235
Registered: ‎09-10-2010
Kudos: 15

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Ok buddy..

This is a community support forum and I and the others are not an official UBNT staff.

If you think there is merit, email support@ubnt.com

We have jokingly replied to you because of how obsurd the rumor seems.

I'm done with your game. If it is a real security bug, support@ubnt.com will want to hear about it.


There is no game, i do not play with my job!

I have already sent an email to support. I'm waiting.

Yes, this is a community forum, we can ALL ask what is relevant and we CAN reply when we want.

I asked a simple question and i did NOT SPOKE IN any BUG!
Answer, who want!
SuperUser
Posts: 16,235
Registered: ‎06-23-2010
Kudos: 5115
Solutions: 76

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Are you kidding friend?
Of course I've tried, it happens that the TFTP does not list files!


Well, then I guess you can't do it.
Member
Posts: 141
Registered: ‎12-02-2011
Kudos: 26
Solutions: 2

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

did you try to check the security attribute of the files ?
something like a ls-l on the directory where the files are stored
It would be logical that just the root user could read them
If so, this would be as secure as any linux system. Use a long password for root.
PS : some people on this planet were are able to hack the OS of PS3, iphones,etc.
I think no client system is 100% secure
Ubiquiti Employee
Posts: 7,391
Registered: ‎11-27-2007
Kudos: 4220
Solutions: 167
Contributions: 45

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Hi,
No, The TFTP recovery method does not allow you to download files from the device.
It only allows you to upload an image, which will reset configuration and flash firmware.
-Matt
Established Member
Posts: 1,563
Registered: ‎11-03-2009
Kudos: 417
Solutions: 6

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Highlighted
New Member
Posts: 12
Registered: ‎05-18-2011
Kudos: 6

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

[ Edited ]

UBNT-Matt wrote:
Hi,
No, The TFTP recovery method does not allow you to download files from the device.
It only allows you to upload an image, which will reset configuration and flash firmware.
-Matt

 

Someone recently reminded me about this issue and I went back to search the forum for the previous discussions.  One area where I've kinda objected to the way Matt phrased that is that parts of his comment were not true until v5.5.4, which was released after Matt's post.  Additionally, Matt disclosed the flash dump procedure to one of our competitors a year prior to his post above.  However, as the agreement I reached by Email with Matt and other Ubiquiti staff at the time involved deleting my posts on this security issue while they implemented a fix in v5.5.4 (which they did), and more than a year has now elapsed in the meantime giving everyone time to upgrade, I'll make the following comment without actually disclosing what the hole was or how to use it (although I believe anyone knowledgeable with Linux, OpenWRT or u-boot that looked at the v5.5.4 changelog would have been capable of figuring it out).  I believe nearly 2.5 years since I raised the issue with Ubiquiti and a little over 1 year since they fixed it is a fair amount of time to have held off discussing the issue.  Hopefully this will prod any stragglers into upgrading or at least using the procedure I have outlined below to close the hole.

So, here it is: Anyone concerned about this issue, wherein anyone with physical access to the end of the Ethernet cable to your Ubiquiti airOS-based device (such as a competitor who also runs a computer repair business and visits one of your customers, one of your customers switches to a competing WISP and gives that competitor access to the device before it is returned to you, or you share a communications site with a competitor with minimal access control to the Ethernet cables to your Ubiquiti equipment) can obtain the plain text configuration while leaving behind no trace that they dumped your configuration, needs to either upgrade to v5.5.4 or later, or at least have flashed v5.5.4 or later on their device at least once so that u-boot will have been upgraded to a version in which Ubiquiti removed the security hole in question following my insistence that it posed a significant security issue.

If anyone wants to continue running a version prior to v5.5.4, you can upgrade to v5.5.4 then downgrade back to your desired version (if you intended to run v5.5 or v5.5.2).  Or if you intend to run a version prior to that which is incompatible configuration-wise, save your existing config, upgrade to v5.5.4, downgrade to your desired version, use the reset button to reset to default configuration, then reload your saved config on the device.  This will close the security hole as you will be running the updated version of u-boot from v5.5.4.

Relevant excerpt from the v5.5.4 changelog:

- TFTP recovery: Reset configuration to factory defaults when executing TFTP recovery mode without need to hold Reset button for 15sec and upload firmware image

 

-Ryan

Veteran Member
Posts: 4,850
Registered: ‎03-12-2011
Kudos: 2398
Solutions: 116

Re: AirOS and Security: DUMP of configuration files with TFTP or other thing

Ah good to hear that u-boot was actually changed to achieve this - I had assumed they just made the change in AirOS rather than updating the bootloader (which of course means flashing OpenWRT wouldn't default it) - although I Hadn't had a chance to re-test since 5.5.4 (I initially discovered this "feature" pre-5.5 inadvertantly).

That said, I suspect if you're willing to crack the device open and access the TTL serial header on it you'd be able to recover the config anyway - so it's always a good idea to assume that any hardware that other people could get physical access to is compromised.

Reply