PHM – A blog about things

Setting up MeshCentral on a Synology NAS using reverse proxy.
I’ve been using MeshCentral for a couple of weeks and I am very impressed, the agent is very small and it works well, although I initially set it up on a Ubuntu machine following their instructions. I thought it would be handy to configure on my NAS drive as this is running all the time.

I’ve configured this with Docker-Compose but I’m sure there are probably easier ways to accomplish the same thing.

Installing Docker

First thing we need to install Docker on the NAS which is relatively straight forward, we go to Package Center, search for Docker and click Install.

Creating the required files

I created the two files from the MeshCentral docker github page here, my files are below

.env file

NODE_ENV=production HOSTNAME=meshcentral.phm.pw USE_MONGODB=false # set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy REVERSE_PROXY=true REVERSE_PROXY_TLS_PORT=443 IFRAME=false ALLOW_NEW_ACCOUNTS=false WEBRTC=true ALLOWPLUGINS=false LOCALSESSIONRECORDING=false MINIFY=true

docker-compose.yml

version: "3" services: meshcentral: restart: always container_name: meshcentral hostname: meshcentral # use the official meshcentral container image: ghcr.io/ylianst/meshcentral:latest ports: # MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs - 8086:443 env_file: - .env volumes: # config.json and other important files live here. A must for data persistence - ./meshcentral/data:/opt/meshcentral/meshcentral-data # where file uploads for users live - ./meshcentral/user_files:/opt/meshcentral/meshcentral-files # location for the meshcentral-backups - this should be mounted to an external storage - ./meshcentral/backup:/opt/meshcentral/meshcentral-backups # location for site customization files - ./meshcentral/web:/opt/meshcentral/meshcentral-web

I then uploaded these two files to the docker folder on the NAS using the File Station app, I also created the folder structure for MeshCentral in the docker folder to match their instructions as so

| - meshcentral/ # this folder contains the persistent data | - data/ # MeshCentral data-files | - user_files/ # where file uploads for users live | - web/ # location for site customization files | - backup/ # location for the meshcentral-backups | - .env # environment file with initial variables | - docker-compose.yml

Enabling SSH access

To be able to run docker-compose we need SSH access to the NAS, this is enabled in Control Panel / Terminal and enable SSH.

Connecting with SSH and starting MeshCentral.

As I’m using Windows 10 i went to the command prompt and ran the following

ssh nasadmin@nasipaddress cd volume1/docker/ sudo docker-compose up -d sudo docker-compose logs meshcentral

Although docker-compose installed MeshCentral fine, I could see from the logs I was getting an error “meshcentral | ERROR: Unable to parse /opt/meshcentral/meshcentral-data/config.json.” I quickly looked at the config file in meshcentral/data/config.json and could see the sessionkey line had got messed up somehow. The easiest thing for me to do was just to edit the file to fix the error, the line appeared as

"sessionKey": "4aN%oGCwGQ]Q]B[qe[%`WkOwonou"_sessionKey": "MyReallySecretPassword1"U]",

Not really too sure what happened there, as I did this before and it worked first time, however, I changed the line as follows

"_sessionKey": "MyReallySecretPassword1",

The underscore at the start means it is not used, so will generate a random sessionkey each time it starts.

That was it, MeshCentral was now accessible from the NAS webpage by going to https://nasname:8086 but I still need to set up the reverse proxy on the NAS to allow connections on port 443 and with a proper SSL certificate. If you are happy to leave it on port 8086 you just need to change the line in the config.json file to say

"aliasPort": 8086,

So the agents you deploy will know the correct port to use.

Setting up Mesh Central for Reverse Proxy.

Firstly we need to stop meshcentral to edit the config file, from the NAS you can go to the docker application then click Containers, Actions and then Stop

Or in an SSH session you can type “docker stop meshcentral”

Then you can either use File Station to download the config.json file from /docker/meshcentral/data to edit it locally and upload once changed or use SSH with “sudo vi /volume1/docker/meshcentral/data/config.json” –

The lines we want to change are

"TLSOffload": true, ... "certUrl": "meshcentral.phm.pw"

So the entire config looks like

{ "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json", "settings": { "plugins":{"enabled": false}, "_mongoDb": null, "cert": "meshcentral.phm.pw", "_WANonly": true, "_LANonly": true, "_sessionKey": "MyReallySecretPassword1", "port": 443, "_aliasPort": 443, "_redirPort": 80, "_redirAliasPort": 80, "AgentPing": 60, "TLSOffload": true, "SelfUpdate": false, "AllowFraming": false, "WebRTC": true }, "domains": { "": { "_title": "MyServer", "_title2": "Servername", "minify": true, "NewAccounts": false, "localSessionRecording": false, "_userNameIsEmail": true, "certUrl": "meshcentral.phm.pw" } }, "_letsencrypt": { "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>", "_email": "[email protected]", "_names": "myserver.mydomain.com", "production": false } }

Configuring the NAS for reverse proxy.

On the NAS admin page, we go to Control Panel / Login Portal / Advanced / Reverse Proxy and create, and configure as follows

The first three are to allow websockets, and the last three to allow meshcentral to know the real IP address of the clients. MeshCentral suggests longer timeout which is done in the advanced tab.

Finally, we need to configure the certificate on the NAS, for me I have my domain name meshcentral.phm.pw pointing towards my NAS´s external IP Address and have forwarded port 80 and 443.

On the NAS we go to Control Panel / Certificates and Add, and enter the following

Assuming you have the DNS records and port forwarding is done correctly, this will get a certificate, next you need to click settings and make sure the reverse proxy connection is set to use the correct certificate.

That should be it, I can now connect to https://meshcentral.phm.pw which will redirect to my docker container and work.

Good luck! The last part of this blog was written very quicky so please comment below if you notice any errors or something is not working for you.
February 17, 2023
Hacking a Yealink device autoprovisioned for BT Voice

The Background

TL;DR straight to the ridiculously easy hack

Recently we upgraded our phone system, BT supplied us with some shiny Yealink T48G phones.
These support 16 SIP accounts and I wanted to add my own personal account as I was going to be using my phone for working from home and it made sense to use just one phone and to get rid of my Obi device.

The first thing I did when getting the phone was to go to the webpage and try logging in, I tried the normal admin username password combination but it didn’t work, a quick search told me that once the phones had been ‘auto-provisioned’ for BT, the ‘user’ username and password was user/password. This allowed me to log in, but ideally I wanted the admin password, even without that though I was able to gather enough detail to perform a factory reset on the phone and manually configure the BT Voice settings.. However somethings didn’t work quite as before, for example the Busy Light List didn’t display and I didn’t know what URI I should set.

So i set the network port to span mode and fired up Wireshark and started a phone up, I thought as they contacted BT for configuration, maybe they would transmit the admin password in cleartext or at the very least a config file.. no such luck, but I did get the auto-provision url, this meant that I could now reset a phone to factory settings and I would be able to set it to automatically configure itself again.. (I suppose I could have asked BT for this information but oh well). Thinking by doing this there was more chance the admin password or config file would be transmitted and I’d be able to listen, again no luck, the traffic was encrypted.

The next thing I did was to set the log level to 6 (Maximum) on the webpage and then and then exported the log after a boot, this gave me some details for example the Busy Light URI but I wanted more.. I tried to ‘provision’ the phone while changing the admin password..Nope, ‘provisioning’ while exporting the log file every few seconds.. Nope.. Running out of ideas I right clicked the phones webpage and selected ‘View source’ maybe I’d see something like a secret link to enable telnet.. Nope…

The Details

Viweing the source, I did however notice the following lines
setMenu(allItem);

if(identity == “admin”)
level = 2;
else if(identity == “var”)
level = 1;
else
level = 0;

This seemed very strange, like the webpage was just saying, what is your username? if it’s ‘admin’ I’ll give you access to everything.. so I started the Chrome console, [Shift] [CTRL] + ‘J’, clicked ‘Sources’ selected the ‘Serverlet’ and added a breakpoint at line 313, refreshing the page this then let me change ‘identity’ variable from ‘user’ to ‘admin’ and boom, full access, even allows me to change the settings.. I said it was a ridiculously easy..

The Conclusion

Having tried a few complicated ways to get details of the phone settings (nothing too bad), I was thinking of other ways to get in, maybe spoofing a certificate and performing a MitM attack, maybe downloading the firmware and looking for exploits or backdoors, even social engineering and phoning BT saying I was a new engineer and had forgotten the ‘Admin’ password 🙂
I thought I’d try the obvious and view the source.. Anyway, long story short… my conclusion is that I should always try the easy ways first.. (And Yealink should be embarrassed how easy it is to get admin privileges on their phone)

Update (02.05.17)

The latest firmware appears to address this security issue, in as such that they’ve not made it so obvious, however the webpage still restricts items depending on what user/level you are, so you can get it to display,change and save all items even if you are logged in as a normal user.

The following shows an example with the latest firmare that BT are currently using (28.80.179.2).

First if I log in with the stand user/password account I see the following when I go to settings.

not a lot to choose there, I then bring up the “Developer Tools” in Chrome and go to ‘Sources’ and then double click ‘Severlet’ and search for level

You can see above that they are still restricting things by what level you are, so I set a breakpoint on line 431 (Newer firmware works the same just the line numbers change). I then refresh the page and have to keep pressing ‘F8’ till I get to the settings I want. The first few breaks show in the local variable, a level and a node, so the following

means the Dial Plan page will be hidden, unless I change the 2 to a 0 and continue. anyway after pressing ‘f8’ a few more times I then get to the setting for the page I’m on.

This one says that the option to export the config is hidden, so I change the level from 2 to 0 and as I no longer want to change any other settings i remove the break point and press ‘F8’ again, this then give me the following webpage.

You can see both the Dial Plan and the option to export the config are now available to me.

A side note, Yealink have now made it so the Service Provider can link the MAC address of your phone to their configuration, so if you upgrade your firmware or change some settings they don’t want you to, the next time the phone restarts it will downgrade the firmware to the version the service provider wants to use. To get round this I just created a static route on my router for 184.106.101.50 and set the gateway to 10.0.0.1 (Just a random local address I’m not using), this prevents the phone contacting the Yealink service.

July 16, 2016