SFT1200 Opal WPS is enabled by default

Steve68 · January 18, 2024, 12:00am

I set my Opal as a repeater and after using a network analyzer I noticed the Opal’s network has WPS enabled, which is a huge security risk, I can’t see an option on OpenWRT to disable it and also I tried to connect to the router using SSH and I wasn’t able to do anything, I thought I would be able to delete the WPS files but on the path /etc/rc.button/wps I can’t see anything

I even did a factory reset and WPS is still enabled by default, that’s what it looks like at least
What can I do to disable it?

Steve68 · January 18, 2024, 12:09am

If I do a cat /etc/rc.button/wps this is what I can see, I don’t want to mess around with this script and break something so I hope someone can help

#!/bin/sh

wps_catch_credentials() {
local iface ifaces ifc ifname ssid encryption key radio radios
local found=0

    . /usr/share/libubox/jshn.sh
    ubus -S -t 30 listen wps_credentials | while read creds; do
            json_init
            json_load "$creds"
            json_select wps_credentials || continue
            json_get_vars ifname ssid key encryption
            local ifcname="$ifname"
            json_init
            json_load "$(ubus -S call network.wireless status)"
            json_get_keys radios
            for radio in $radios; do
                    json_select $radio
                    json_select interfaces
                    json_get_keys ifaces
                    for ifc in $ifaces; do
                            json_select $ifc
                            json_get_vars ifname
                            [ "$ifname" = "$ifcname" ] && {
                                    ubus -S call uci set "{\"config\":\"wireless\", \"type\":\"wifi-iface\",       \
                                                            \"match\": { \"device\": \"$radio\", \"encryption\": \"wps\" }, \
                                                            \"values\": { \"encryption\": \"$encryption\",         \
                                                                            \"ssid\": \"$ssid\",                   \
                                                                            \"key\": \"$key\" } }"
                                    ubus -S call uci commit '{"config": "wireless"}'
                                    ubus -S call uci apply
                            }
                            json_select ..
                    done
                    json_select ..
                    json_select ..
            done
    done

}

if [ “$ACTION” = “pressed” -a “$BUTTON” = “wps” ]; then
wps_done=0
ubusobjs=“$( ubus -S list hostapd.* )”
for ubusobj in $ubusobjs; do
ubus -S call $ubusobj wps_start && wps_done=1
done
[ $wps_done = 0 ] || return 0
wps_done=0
ubusobjs=“$( ubus -S list wpa_supplicant.* )”
for ubusobj in $ubusobjs; do
ifname=“$(echo $ubusobj | cut -d’.’ -f2 )”
multi_ap=“”
if [ -e “/var/run/wpa_supplicant-${ifname}.conf.is_multiap” ]; then
ubus -S call $ubusobj wps_start ‘{ “multi_ap”: true }’ && wps_done=1
else
ubus -S call $ubusobj wps_start && wps_done=1
fi
done
[ $wps_done = 0 ] || wps_catch_credentials &
fi

return 0

admon · January 18, 2024, 5:36am

Why do you think WPS is enabled?
As far as I know there are no GL devices that support it since OpenWrt does not support it out of the box.

Steve68 · January 18, 2024, 8:57pm

I scanned the network using an analyzer and it shows WPS is enabled, even on Linux I tried a penetration test (with no success) but it shows WPS is enabled. The weird thing is that I tried to push the button on my router to connect via WPS and it didn’t work, what could be happening here?

admon · January 18, 2024, 9:00pm

I would assume this is just some display error.

@bring.fringe18 What do you think about it?

bring.fringe18 · January 18, 2024, 9:09pm

opkg list-installed | grep hostapd-utils; grep wps /etc/config/wireless

No results == no worries.

https://oldwiki.archive.openwrt.org/doc/uci/wireless#wps_options

Steve68 · January 18, 2024, 9:18pm

So I could just delete the packages wpad and hostapd-utils? Or try the path you mentioned via SSH. (I’m new when it comes to SSH commands on OpenWrt)

I guess those packages won’t affect any other functions on the router if I delete them

admon · January 18, 2024, 9:19pm

Noooooo.

Just run the command @bring.fringe18 provided and post the output.

bring.fringe18 · January 18, 2024, 9:21pm

So you can “experiment”… yeah, that’s what we’ll call it… & yet still unfck yerself:

Steve68 · January 18, 2024, 10:16pm

root@GL-SFT1200:~# opkg list-installed | grep hostapd-utils; grep wps /etc/config/wireless
option wps_pushbutton ‘1’
option wps_label ‘0’
option wps_pushbutton ‘1’
option wps_label ‘0’

bring.fringe18 · January 18, 2024, 10:18pm

So the capability is there (wps_pushbutton enabled) but there’s no interface configured to push a PIN (wps_label '0').

Steve68 · January 18, 2024, 10:27pm

So is not a risk to leave it like that, thank you. When I pushed the button the WPS didn’t work on an old android phone but the fact the light was blinking made me think otherwise, I tried a lot of times and I was not able to connect using WPS

bring.fringe18 · January 18, 2024, 10:31pm

You’re fine. There’s still no hostapd-utils installed on your Opal so even if an interface was configured it would never get anywhere.

It looks like GL was going to provide the WPS feature on the Opal (hence the rpc & json calls) but didn’t complete it/killed it for the vulnerability it is.

You got a false positive on your scanner.