TP-Link Easy Smart Switch security question
-
What?
-
Will add about security of this devices…
TL-SG1016DE security of changes value without any authentication.
It from testing of my device… VLAN1 is problem.
Now SG1016DE used only internally. -
Hi guys,
Since TP-Link refused to give me the source code so I decided to take on this issue myself.
Here is how you can hack ( un-member ports on vlan1). I have already tested on the SG108PE (hw version 3) switch and it worked.
1. Setup your vlan configuration as usual
2. Save the config (config.cfg)
3. Open it up with a Hex-editor. Right after the text "Default_VLAN" you will see FF (that's basically means all 8 ports are member of untagged vlan1). Change it to 00 if you want to un-member all ports from vlan1. As shown in the attached picture, I changed it to 80 because I still wanted port 8 to be a member of vlan1 so that I can manage the switch from web-gui.
4. Save the file, restore the modified config in system:system_tools:restore_config
5. Wait for the switch to reboot, goto vlan config, notice that ports belonging to vlan1 are changed.Cheers! I still hope for tp-link to fix this VLAN1 bug one day! This is just a work-around.
-
I'll have to give that a try with my 5 port switch. I don't suppose you'd have a fix for their TL-WA901N access point. ;)
It has the same problem where data from the native LAN leaks into the VLAN & 2nd SSID.I think those TP Link engineers need a lesson or 2 on VLANs.
-
That fix doesn't seem to apply to the TL-SG105E switch.
-
That fix doesn't seem to apply to the TL-SG105E switch.
Were you able to see the port assignment changed in step# 5?
by the way, i saw vlan isolation w/ the work-around solution. The only thing I saw strange was that the switch's IP address is a member of all vlans. If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.
However, the switch is no longer behaving like a dumb switch because ports are removed from vlan1.
-
I will give this a try on 105E v2 tonight when I get home.. Great info.. Thanks.
-
Some analyze information about apply this method to TL-SG1016DE (HW:2)
vlan:777,port: 5tag, name: TESTVVV
777 = 0x0309 (0x09 0x03)
5 = 0x10 (0001 0000) 5 bit.
vlan:777,port: 5untag, name: TESTVVV
777 = 0x0309 (0x09 0x03)
5 = 0x10 (0001 0000) 5 bit.
-
Here is how you can hack ( un-member ports on vlan1). I have already tested on the SG108PE (hw version 3) switch and it worked.
Worked on my TL-SG108E 2.0, thanks!
Why didn't I think of this… ::)
-
Were you able to see the port assignment changed in step# 5?
No, there was very little recognizable text in the hex editor. I did not see the word "Default", as shown in lexxai's post.
The only thing I saw strange was that the switch's IP address is a member of all vlans. If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.
On managed switches I've worked on, there was a specific management interface, which was assigned an IP address. I've also set up networks where the management interface was on a separate VLAN.
-
The only thing I saw strange was that the switch's IP address is a member of all vlans. If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.
On managed switches I've worked on, there was a specific management interface, which was assigned an IP address. I've also set up networks where the management interface was on a separate VLAN.
Even after setting the VLAN 1 membership to port 8 only… I can still connect a client to any switch port, set the IP to the same subnet and then access the switch web login.
So the VLAN 1 has no relevance for web admin access... I guess we can kill all VLAN 1 membership with the HEX hack..!? -
Hmm, well this is interesting. Implies it's a gui limitation only.
The exact string Default_VLAN does not appear in the config from a TL-SG1016DE v1. Not quite the same as the v2 either. Some experimentation needed….
Steve
![Config(1).cfg - GHex_311.png](/public/imported_attachments/1/Config(1).cfg - GHex_311.png)
![Config(1).cfg - GHex_311.png_thumb](/public/imported_attachments/1/Config(1).cfg - GHex_311.png_thumb) -
Even after setting the VLAN 1 membership to port 8 only… I can still connect a client to any switch port, set the IP to the same subnet and then access the switch web login.
So the VLAN 1 has no relevance for web admin access... I guess we can kill all VLAN 1 membership with the HEX hack..!?I saw that too. It looks like the switch (management IP) is a member of all vlans, and that the gui an be accessed from any access-ports. However, the gui can not be accessed on a trunk port (tagged port), unless you configure another vlan w/ the trunk port configured as untagged port. Attached is a picture of my improved config where I ended up removing all ports from vlan1.
Although I can access the swith's management interface on any access-ports (untagged ports), I can not access PCs that belong on another VLAN. Would you please confirm that's what you're seeing too? thanks
-
Hmm, well this is interesting. Implies it's a gui limitation only.
The exact string Default_VLAN does not appear in the config from a TL-SG1016DE v1. Not quite the same as the v2 either. Some experimentation needed….
Steve
yeah, keep on working at it. I'd create one vlan (ie. vlan 2) with all ports as untagged member, save the config. Then generate a second config with the last port removed from the vlan. Diff the two files ie:
hexdump -C config.cfg.original > /tmp/config.cfg.original.hex # vlan2 w/ all ports
hexdump -C config.cfg > /tmp/config.cfg.hex # vlan2 w/ all ports but the last portdiff -urN /tmp/config.cfg.original.hex /tmp/config.cfg.hex
Then you would have a good idea where the vlan config token is set.
-
Sg108E: at least in GUI I deleted default vlan 1.
![2017-11-12 16.50.09.jpg](/public/imported_attachments/1/2017-11-12 16.50.09.jpg)
![2017-11-12 16.50.09.jpg_thumb](/public/imported_attachments/1/2017-11-12 16.50.09.jpg_thumb)
-
Seems to have some file validation/checksum that prevents uploading a modified file…. no one else seeing that? I'd be surprised if they actually removed that from the v2.
Steve
-
Tested and NO checksum for:
Firmware Version 1.0.2 Build 20160526 Rel.34615
Hardware Version TL-SG108E 2.0 -
Hmm, using:
Firmware Version 1.0.1 Build 20131023 Rel.33236
Hardware Version TL-SG1016DE 1.0Refuses any edited config
Invalid config file! Please double check!
Yet lexxai seems to be good on his 1016DEv2….
Steve
-
Check if there's a checksum or such yourself?
a) save config_1
b) change something small like hostname one character from lower to upper case. Don't change length.
c) save config_2
d) diff config_1 and config_2e) report result.
-
Speculating….
The things that change other than the config change are the password seems to be re-hashed and stored twice. And at the begging of the file there is a 16bit value that changes. I'd bet that's a 16bit checksum but of what exactly I'm not sure. Or what algorithm... Not found a match so far.
Steve