webmgnt
General Info
Authentication Bypass & Patching
Device Info
- Model: MV2400 (COMFAST CF-E5)
- Base: OpenWrt with QCA9531
- Web Stack: nginx 1.4.7 + FastCGI (webmgnt)
- Default Auth: admin:admin
System Context
Key Components
- Web server: nginx/1.4.7 + FastCGI (
webmgntbinary)- Authentication: Hardcoded
admin:admin- Session:
COMFAST_SESSIONIDcookie- CGI routing:
cgi_functionsarray with per-endpoint auth flags
Authentication Logic
Session State Variables
char is_logged_in; // Set after successful login
char authenticated_COMFAST_session_id[90]; // Server's copy of session cookie
time_t authenticated_session_expiration_time; // 10min timeout
### Auth Check Flow
- CGI handlers check "needs-auth" flag in `cgi_functions`
- If flag set (`01 00 00 00`), requires:
- `is_logged_in == 1`
- Valid session cookie match
- Non-expired session
Bypass Strategies
1. Patch CGI Function Auth Flags
Always work in
/overlayfirst!
Patching the wrong offset can brick the web interface
# Example patch command
printf '\x00\x00\00\x00' | dd of=/overlay/usr/sbin/webmgnt bs=1 seek=$((0x54BC0)) conv=notrunc
- Each CGI entry has a 4-byte auth flag
- `01 00 00 00` → requires auth
- `00 00 00 00` → public access
- Remember: Use file offsets, not virtual addresses!
2. Overlay Filesystem Usage
OpenWrt’s overlay system provides safe testing
- Read-only squashfs + writable
/overlay- Changes in
/overlayshadow original files- Easy rollback: delete from
/overlayand reboot
# Create overlay directory structure
mkdir -p /overlay/usr/sbin
# Copy and patch binary
cp /usr/bin/webmgnt /overlay/usr/bin/webmgnt
# ... patch the copy ...
chmod +x /overlay/usr/bin/webmgnt
# Reboot to apply
reboot
3. Legacy SSH/SCP Access
SCP Command with Legacy Crypto
scp -O -o KexAlgorithms=+diffie-hellman-group1-sha1 \
-o HostKeyAlgorithms=+ssh-rsa \
-o MACs=+hmac-sha1,hmac-sha1-96 \
./webmgnt_patched \
root@192.168.10.254:/overlay/usr/bin/webmgnt
Session Management via /cgi-bin/iswifi
Purpose
- System endpoint for session validation
- Used by indoor unit and web UI
- Perfect for automating session management
Response Types
# Valid session:
Set-Cookie: COMFAST_SESSIONID=<valid_id>; Path=/; Version=1
# Invalid/expired session:
Set-Cookie: COMFAST_SESSIONID=DELETED; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Version=1
Best Practices
- Check session with
/cgi-bin/iswififirst - Only attempt login if session is invalid
- Store and reuse valid session IDs
Troubleshooting Guide
Common Issues
502 Bad Gateway
Usually indicates:
- Backend crash
- Invalid response
- Incorrect patch
Check logs at/var/log/messagesor vialogread
Address Translation
Virtual Address → File Offset
- Base address:
0x400000(verify withreadelf -l)- Formula:
file_offset = virtual_address - 0x400000- Example:
0x454BC0 - 0x400000 = 0x54BC0
Verification Steps
# Check if overlay is active
ls -l /usr/sbin/webmgnt
find /overlay -name webmgnt
# Verify binary integrity
md5sum /usr/sbin/webmgnt
md5sum /overlay/usr/sbin/webmgnt
References
#reverse-engineering #embedded #OpenWrt #web-security #MIPS #authentication #RVLink