webmgnt

General Info

Authentication Bypass & Patching

Device Info

  • Model: MV2400 (COMFAST CF-E5)
  • Base: OpenWrt with QCA9531
  • Web Stack: nginx 1.4.7 + FastCGI (webmgnt)
  • Default Auth: admin:admin

System Context

Key Components

  • Web server: nginx/1.4.7 + FastCGI (webmgnt binary)
  • Authentication: Hardcoded admin:admin
  • Session: COMFAST_SESSIONID cookie
  • CGI routing: cgi_functions array with per-endpoint auth flags

Authentication Logic

Session State Variables

char is_logged_in;                         // Set after successful login  
char authenticated_COMFAST_session_id[90]; // Server's copy of session cookie  
time_t authenticated_session_expiration_time; // 10min timeout  

### Auth Check Flow

- CGI handlers check "needs-auth" flag in `cgi_functions`
- If flag set (`01 00 00 00`), requires:
    - `is_logged_in == 1`
    - Valid session cookie match
    - Non-expired session

Bypass Strategies

1. Patch CGI Function Auth Flags

Always work in

/overlay first!
Patching the wrong offset can brick the web interface

# Example patch command  
printf '\x00\x00\00\x00' | dd of=/overlay/usr/sbin/webmgnt bs=1 seek=$((0x54BC0)) conv=notrunc  

- Each CGI entry has a 4-byte auth flag
- `01 00 00 00` requires auth
- `00 00 00 00` public access
- Remember: Use file offsets, not virtual addresses!

2. Overlay Filesystem Usage

OpenWrt’s overlay system provides safe testing

  • Read-only squashfs + writable /overlay
  • Changes in /overlay shadow original files
  • Easy rollback: delete from /overlay and reboot
# Create overlay directory structure  
mkdir -p /overlay/usr/sbin  
  
# Copy and patch binary  
cp /usr/bin/webmgnt /overlay/usr/bin/webmgnt  
# ... patch the copy ...  
chmod +x /overlay/usr/bin/webmgnt  
  
# Reboot to apply  
reboot 

3. Legacy SSH/SCP Access

SCP Command with Legacy Crypto

scp -O -o KexAlgorithms=+diffie-hellman-group1-sha1 \  
    -o HostKeyAlgorithms=+ssh-rsa \  
    -o MACs=+hmac-sha1,hmac-sha1-96 \  
    ./webmgnt_patched \  
    root@192.168.10.254:/overlay/usr/bin/webmgnt  

Session Management via /cgi-bin/iswifi

Purpose

  • System endpoint for session validation
  • Used by indoor unit and web UI
  • Perfect for automating session management

Response Types

# Valid session:  
Set-Cookie: COMFAST_SESSIONID=<valid_id>; Path=/; Version=1  
  
# Invalid/expired session:  
Set-Cookie: COMFAST_SESSIONID=DELETED; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Version=1

Best Practices

  1. Check session with /cgi-bin/iswifi first
  2. Only attempt login if session is invalid
  3. Store and reuse valid session IDs

Troubleshooting Guide

Common Issues

502 Bad Gateway

Usually indicates:

  • Backend crash
  • Invalid response
  • Incorrect patch
    Check logs at /var/log/messages or via logread

Address Translation

Virtual Address → File Offset

  • Base address: 0x400000 (verify with readelf -l)
  • Formula: file_offset = virtual_address - 0x400000
  • Example: 0x454BC0 - 0x400000 = 0x54BC0

Verification Steps

# Check if overlay is active  
ls -l /usr/sbin/webmgnt  
find /overlay -name webmgnt  
  
# Verify binary integrity  
md5sum /usr/sbin/webmgnt  
md5sum /overlay/usr/sbin/webmgnt

References

#reverse-engineering #embedded #OpenWrt #web-security #MIPS #authentication #RVLink

Wesley Ray · blog · git · resume