Mango GL.iNet GL-MT300N V2 disable booting from tftp server on boot

mischa · June 28, 2020, 2:16pm

I would like to disable loading a tftp image (192.168.1.2/openwrt-gl-mt300an.bin) on boot for the mango GL.iNet GL-MT300N V2 device.

The problem I see is: Attacker gains access to a device on the lan side of the openwrt router. It then sets up a tftp server on 192.168.1.2 serving an image with openwrt-gl-mt300an.bin (see tcpdump output below) and waiting for the router to reboot. The router then sees the 192.168.1.2 is up and if the filename matches flashes the new image to disk. This needs actually no phyiscal access just a compromised device in the lan. So I consider this a big problem and try to find a solution.

thanks for any more hints!

boot sequence


Autobooting in: 2 s (type 'gl' to run U-Boot console)

Device have ART, checking calibration status...
Device have calibrated, checking test status...
Device haven tested, checking MAC info...
Device have MAC info, starting firmware...
host 192.168.1.2 is alive

Filename 'openwrt-gl-mt300an.bin'.
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ##############################################
done
Bytes transferred = 6553842 (6400f2 hex)
NetBootFileXferSize= 006400f2
**************************
Erase start:0xbc050000
Erase len  :0x006500f2
Erase end  :0xbc6a00f2
**************************

sfx2000 · June 29, 2020, 12:35am

Interesting… Should only happen when uboot is in recovery mode

At least with ar targets, there is manual hands on to put the AR targets into u-boot recovery

That being said… if MT300N is the edge router…

Someone needs to punch thru the firewall
Change the LAN addr/subnet to 192.168.1.0/24
Access the MT300N command line over SSH/Dropbear and guess the password
Send a reboot command with a preconfigured TFTP server that would send over a compromised firmware release.

Once one gets to that point…

mischa · July 3, 2020, 3:57pm

Not sure about default settings of gl.inet devices as this was a device bought in a customized batch…

I managed to compile and setup u-boot for the device without this happening. Next step is to find a easy and good way to flash the uboot.bin from within openwrt.

That said your assumptions are quite wrong as:

someone needs to own a device in the network behind the router
sets an additional address to192.168.1.2 and activates a tftp server on that address
waits until the router reboots
automatically the ftp image is loaded and flashed on the router
=> from here you get the point.

alzhao · July 9, 2020, 8:25am

It does not work if you have both WAN and LAN connected.

mischa · September 19, 2020, 8:31pm

Just for the record: the fact stated by alzhoa is not correct. It does still ask for the file even if WAN is connected.

I found a way to upgrade from within openwrt using: u-boot_mod/u-boot-upgrade at master · pepe2k/u-boot_mod · GitHub