KELEMAHAN MODEM UniFi DIR-615
- Akaun khas (operator, Management) tersimpan untuk kegunaan Telekom. Tetapi kata laluan dengan mudah boleh dapati.
- Pengguna biasa "Admin" boleh memuat-turun konfigurasi modem pada http://
/config.bin. - config.bin terkandung kata laluan untuk admin, operator, Management, & Unifi.
- Konfigurasi Wi-Fi Protected Setup(WPS) dihidupkan secara lalai. WPS adalah salah satu fungsi baru Wi-Fi yang secara mudah dieksploitasi oleh penyerang luar untuk mendapatkan konfigurasi modem/AP secara jauh.
Sekilas lalu apa yang penyerang jarak jauh boleh lakukan terhadap anda:
Bermula dengan mengimbas IP dan PORTs yang berkenaan:
Disusuli dengan kelemahan seperti seperti yang disebutkan di atas:
Seterusnya pergunakan fungsi-fungsi & services yang tersedia di modem tersebut:
Beberapa fungsi dan services yang boleh digunakan:
ls -al /usr/sbin/
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 xmldbc -> ./xmldb
-rwxr-xr-x 1 Manageme Manageme 97308 May 21 17:32 xmldb
-rwxr-xr-x 1 Manageme Manageme 262440 May 21 17:32 wps
-rwxr-xr-x 1 Manageme Manageme 40200 May 21 17:32 wlxmlpatch
lrwxrwxrwx 1 Manageme Manageme 10 May 21 17:32 wfanotify -> ./upnpkits
lrwxrwxrwx 1 Manageme Manageme 10 May 21 17:32 wfadev -> ./upnpkits
-rwxr-xr-x 1 Manageme Manageme 3166 May 21 17:32 wan
lrwxrwxrwx 1 Manageme Manageme 8 May 21 17:32 vconfig -> ./nsbbox
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 usockc -> ./rgbin
-rwxr-xr-x 1 Manageme Manageme 7098 May 21 17:32 usbaccess
-rwxr-xr-x 1 Manageme Manageme 94128 May 21 17:32 upnpkits
lrwxrwxrwx 1 Manageme Manageme 10 May 21 17:32 upnpdev -> ./upnpkits
-rwxr-xr-x 1 Manageme Manageme 25700 May 21 17:32 upgrade
-rwxr-xr-x 1 Manageme Manageme 60584 May 21 17:32 udhcpd
lrwxrwxrwx 1 Manageme Manageme 8 May 21 17:32 udhcpc -> ./udhcpd
-rwxr-xr-x 1 Manageme Manageme 10016 May 21 17:32 ubcfg
-rwxr-xr-x 1 Manageme Manageme 43332 May 21 17:32 tr069.xml
-rwxr-xr-x 1 Manageme Manageme 398980 May 21 17:32 tr069
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 tlogs -> ./rgbin
-rwxr-xr-x 1 Manageme Manageme 582 May 21 17:32 time
-rwxr-xr-x 1 Manageme Manageme 10316 May 21 17:32 telnetd
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 tcprequest -> ./rgbin
-rwxr-xr-x 1 Manageme Manageme 166544 May 21 17:32 tc
-rwxr-xr-x 1 Manageme Manageme 2112 May 21 17:32 syslog
-rwxr-xr-x 1 Manageme Manageme 2445 May 21 17:32 sys
-rwxr-xr-x 1 Manageme Manageme 750 May 21 17:32 switch
-rwxr-xr-x 1 Manageme Manageme 3794 May 21 17:32 submit
-rwxr-xr-x 1 Manageme Manageme 16504 May 21 17:32 stunnel
-rwxr-xr-x 1 Manageme Manageme 1025 May 21 17:32 stats
-rwxr-xr-x 1 Manageme Manageme 342280 May 21 17:32 snmpd
lrwxrwxrwx 1 Manageme Manageme 8 May 21 17:32 smtpclient -> ./nsbbox
lrwxrwxrwx 1 Manageme Manageme 9 May 21 17:32 slinktype -> rt3052esw
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 scut -> ./rgbin
-rwxr-xr-x 1 Manageme Manageme 19872 May 21 17:32 scheduled
-rwxr-xr-x 1 Manageme Manageme 8684 May 21 17:32 rt3052esw
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 rgdb -> ./xmldb
-rwxr-xr-x 1 Manageme Manageme 61068 May 21 17:32 rgbin
-rwxr-xr-x 1 Manageme Manageme 5440 May 21 17:32 reg
-rwxr-xr-x 1 Manageme Manageme 27652 May 21 17:32 rdisc6
-rwxr-xr-x 1 Manageme Manageme 18204 May 21 17:32 radvdump
-rwxr-xr-x 1 Manageme Manageme 259 May 21 17:32 radvd_br0.conf
-rwxr-xr-x 1 Manageme Manageme 262 May 21 17:32 radvd.conf
-rwxr-xr-x 1 Manageme Manageme 91964 May 21 17:32 radvd
lrwxrwxrwx 1 Manageme Manageme 9 May 21 17:32 psts -> rt3052esw
-rwxr-xr-x 1 Manageme Manageme 372716 May 21 17:32 pppd
lrwxrwxrwx 1 Manageme Manageme 9 May 21 17:32 portprio -> rt3052esw
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 pfile -> ./rgbin
lrwxrwxrwx 1 Manageme Manageme 8 May 21 17:32 ntpclient -> ./nsbbox
-rwxr-xr-x 1 Manageme Manageme 57552 May 21 17:32 nsbbox
-rwxr-xr-x 1 Manageme Manageme 11920 May 21 17:32 netbios
-rwxr-xr-x 1 Manageme Manageme 56624 May 21 17:32 neaps
-rwxr-xr-x 1 Manageme Manageme 6790 May 21 17:32 mfc
-rwxr-xr-x 1 Manageme Manageme 9440 May 21 17:32 md5checksum
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 login -> ./rgbin
-rwxr-xr-x 1 Manageme Manageme 67092 May 21 17:32 lld2d
lrwxrwxrwx 1 Manageme Manageme 10 May 21 17:32 iwpriv -> ./iwconfig
-rwxr-xr-x 1 Manageme Manageme 50408 May 21 17:32 iwconfig
-rwxr-xr-x 1 Manageme Manageme 76298 May 21 17:32 iptables-save
-rwxr-xr-x 1 Manageme Manageme 77067 May 21 17:32 iptables-restore
-rwxr-xr-x 1 Manageme Manageme 72250 May 21 17:32 iptables
-rwxr-xr-x 1 Manageme Manageme 158328 May 21 17:32 ip
-rwxr-xr-x 1 Manageme Manageme 6774 May 21 17:32 inetp
-rwxr-xr-x 1 Manageme Manageme 39828 May 21 17:32 igmpproxy
-rwxr-xr-x 1 Manageme Manageme 199012 May 21 17:32 hostapd
lrwxrwxrwx 1 Manageme Manageme 10 May 21 17:32 hnap -> ./upnpkits
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 gethostip -> ./rgbin
lrwxrwxrwx 1 Manageme Manageme 10 May 21 17:32 genuuid -> ./upnpkits
-rwxr-xr-x 1 Manageme Manageme 34607 May 21 17:32 fresetd
-rwxr-xr-x 1 Manageme Manageme 14324 May 21 17:32 encrypt_tool
-rwxr-xr-x 1 Manageme Manageme 45716 May 21 17:32 ecmh
-rwxr-xr-x 1 Manageme Manageme 64828 May 21 17:32 ebtables
-rwxr-xr-x 1 Manageme Manageme 28440 May 21 17:32 dyndns
-rwxr-xr-x 1 Manageme Manageme 189896 May 21 17:32 dropbear
-rwxr-xr-x 1 Manageme Manageme 48824 May 21 17:32 dnrd
-rwxr-xr-x 1 Manageme Manageme 920 May 21 17:32 diagnostic
-rwxr-xr-x 1 Manageme Manageme 10408 May 21 17:32 dhcpxmlpatch
-rwxr-xr-x 1 Manageme Manageme 160564 May 21 17:32 dhcp6s
-rwxr-xr-x 1 Manageme Manageme 173628 May 21 17:32 dhcp6c
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 devdata -> ./rgbin
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 devconf -> ./rgbin
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 dayconvert -> ./rgbin
lrwxrwxrwx 1 Manageme Manageme 9 May 21 17:32 ctest -> rt3052esw
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 chnet -> ./rgbin
-rwxr-xr-x 1 Manageme Manageme 852 May 21 17:32 cabletest:5
-rwxr-xr-x 1 Manageme Manageme 852 May 21 17:32 cabletest:4
-rwxr-xr-x 1 Manageme Manageme 852 May 21 17:32 cabletest:3
-rwxr-xr-x 1 Manageme Manageme 853 May 21 17:32 cabletest:2
-rwxr-xr-x 1 Manageme Manageme 850 May 21 17:32 cabletest:1
lrwxrwxrwx 1 Manageme Manageme 8 May 21 17:32 brctl -> ./nsbbox
-rwxr-xr-x 1 Manageme Manageme 29324 May 21 17:32 bpalogin
-rwxr-xr-x 1 Manageme Manageme 10000 May 21 17:32 ated
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 asession -> ./rgbin
lrwxrwxrwx 1 Manageme Manageme 7 May 21 17:32 arpping -> ./rgbin
drwxr-xr-x 5 Manageme Manageme 49 May 21 17:32 ..
drwxr-xr-x 2 Manageme Manageme 1408 May 21 17:32 .
Digabungkan dengan beberapa aplikasi yang bersesuaian:
Akhirnya, dengan tidak disedari pengguna, privasi mereka telah pun dicerobohi:
Antara gambar pengguna yang sedang asyik melayan mukabuku:
Penyerang juga boleh melakukan teknik Session Hijacking dengan menggunakan cookies pengguna dan seterusnya mengambil alih mukabuku pengguna:
Pelbagai lagi jenis serangan dan cara eksploitasi boleh digunakan oleh pengyerang untuk menyerang mangsa. Jadi kepada setiap pengguna UniFi haruslah berhati hati tentang perihal keselamatan masing-masing.
Pencegahan:
- Melumpuhkah fungsi Wi-Fi Protected Setup(WPS).
- Menukar semua kata laluan operator/Management kepada kata laluan yang lebih sukar.
- Menyahaktifkan fungsi SSH & Tunnel.
- Hanya membenarkan pengurusan secara jauh(remote management) kepada LAN/rangkaian dalaman.
- Dilarang menggunakan enkripsi jenis WEP, secara lalaian Telekom memilih WPA/WPA2-PSK.
Sumber: http://www.ittutor.net/forums/
NOTA: Gambarajah-gambarajah dan cara yang di tuliskan diatas adalah untuk kegunaan pembelajaran. Dan saya tidak menggodam atau menyerang sebarang modem/router yang bukan kepunyaan hak milik saya sendiri. Segala aktivi penyerangan diatas adalah dengan menggunakan perkakasan dirumah saya sendiri.
No comments:
Post a Comment