|
| 1 | +# GL.iNET Firmware |
| 2 | +GL.iNET is a company that produces [several different routers, WiFi Access Points, and other WiFi/IoT devices](https://docs.gl-inet.com/en/3/setup/). All of these devices use the [OpenWRT Linux Operating System](https://openwrt.org/start), which is built upon BusyBox and designed specifically for use by IoT devices and vendors. On top of the OpenWRT OS is custom GL.iNET firmware used by most (if not all) of their devices. This firmware provides a web GUI for users to utilize while setting up their networks, gateways, or other IoT functions. |
| 3 | + |
| 4 | +GL.iNET has an official [GitHub account](https://github.com/orgs/gl-inet/repositories) with several repositories, and has made their software much more available over the past years. In addition to what's hosted on GitHub, they've released [clean-looking API documentation](https://dev.gl-inet.com/api/) for their 4.x firmware, an [intuitive interface to download firmware](https://dl.gl-inet.com/?model=ar750) based on model name, and an [AWS S3 bucket](http://download.gl-inet.com/) to access all of their software in one spot. I have taken the liberty of extracting three versions of the firmware ([3.201](rom-3.201/), [3.215](rom-3.215/), and [3.216](rom-3.216/)) from a device I own. |
| 5 | + |
| 6 | +## Firmware Details and Deployment |
| 7 | +GL.iNET's firmware is deployed through a lightweight package manager native to OpenWRT called [opkg](https://openwrt.org/docs/guide-user/additional-software/opkg). Curl requests are made to the `fw.gl-inet.com` website, where the latest version is identified and downloaded, if needed. When the latest package is downloaded, one of the files inside is a squashfs file that contains the entire directory structure of the machine (including `/bin` executables, `/etc` config files, etc.). This directory structure and all files inside are found in the [rom-3.201/](rom-3.201/) and [rom-3.215/](rom-3.215/) folders in this repo. |
| 8 | + |
| 9 | +While most of the contents of these `rom` folders is copied from OpenWRT, there are some changes made to it for GL.iNET devices. Specifically, a number of packages that are normally available on OpenWRT through the `opkg` manager but *not* installed by default are included in the firmware package, such as `dropbear` (a lightweight SSH client) and `lighttpd` (a lightweight web server). Most notable, however, are the inclusion of a custom website located in `/www`, and custom C executables and libraries in `/usr/bin` and `/usr/lib`. |
| 10 | + |
| 11 | +The webserver located in `/www` and launched on startup uses Vue as the front-end framework, and all information is populated by an API. The API (instead of being programmed in PHP or NodeJS) is actually written as a C binary called `api`, found in `/www`. In addition, a web interface called `LuCI` (which is the official web interface for OpenWRT) is also included in GL.iNET devices, and binaries for this interface are found in `/www/cgi-bin`. In earlier versions of GL.iNET firmware (such as 3.201), `LuCI` was **NOT** included by default, and could be optionally installed. However, in the latest version as of this writing (3.216), `LuCI` is installed by default. |
| 12 | + |
| 13 | +### Informational Findings |
| 14 | +* Default passwords |
| 15 | + * LAN SSID Key - `goodlife` |
| 16 | + * Web GUI Admin Password - none, this must be created upon initial setup (and can't be `goodlife`) |
| 17 | + * The password must be at least 5 characters long, no other requirements. |
| 18 | +* The folder `/var` is symlinked to `/tmp`, which means that any information that would normally go in `/var` (such as log files in `/var/log`) is erased upon reboot since `/tmp` is always wiped upon reboot. |
| 19 | +* Router-specific information such as model name, factory-issued MAC address, serial number, timezone, language, and the hashed admin web GUI password is found at `/etc/config/glconfig`. |
| 20 | +* As of January 2023 (time of writing), the initial firmware version shipped with the AR-750S-Ext router was 3.201, and the latest available version is 3.216. Other models may be shipped with different initial versions. Firmware versions 4.x is currently in beta testing and only available for a few, limited models. |
| 21 | +* GL.iNET devices have **no concept of least privilege**. All processes run as root, and the root password for the device is the same as the web GUI admin password. This means that certain vulnerabilities are much more impactful; for example, arbitrary file write is practically the same as remote code execution (RCE) since you can overwrite `/etc/shadow` with your own hash, or write to a cronjob or other script that is executed often (like `/www/api`), etc. |
| 22 | + |
| 23 | +### Dependency Vulnerabilities |
| 24 | +All GL.iNET devices with 3.x firmware have many outdated dependencies, which are not intended to be updated. Instead, customers are advised to update to the GL.iNET 4.x firmware version which is the latest version. Dependency versions (with links to vulnerability pages) for 3.x firmware: |
| 25 | + |
| 26 | +* [OpenWRT, v 19.07.8](https://openwrt.org/advisory/start) released Aug 2021 (EOL) |
| 27 | +* [BusyBox, v 1.30.1](https://www.cvedetails.com/vulnerability-list/vendor_id-4282/product_id-7452/Busybox-Busybox.html) released Feb 2019 |
| 28 | +* [lighttpd v 1.4.48](https://www.cvedetails.com/vulnerability-list/vendor_id-2713/Lighttpd.html) released Nov 2017 |
| 29 | +* [Dropbear v 2019.78](https://www.cvedetails.com/vulnerability-list/vendor_id-15806/Dropbear-Ssh-Project.html) released March 2019 |
| 30 | + |
| 31 | +## Scanner |
| 32 | +I created [a Python script](scanner.py) to act as a scanner for all GL.iNET devices that will query various unauthenticated endpoints and print out information specific to this instance. Depending on the configuration and version, information such as firmware version, language, MAC address, and even SSID and password may be available. |
| 33 | + |
| 34 | +To use the scanner, run the command `python3 scanner.py <domain/IP>`, such as `python3 scanner.py 192.168.8.1`. |
| 35 | + |
| 36 | +*Note - this has only been tested on devices with firmware versions 3.x, not any 4.x devices* |
0 commit comments