TP-Link Device Weirdness

TP-Link Device Weirdness

I recently started using a TP-Link C7 router to host a guest network at my house. I typically avoid consumer/prosumer gear for my network, sticking to either whitebox (homemade) or older enterprise gear. Alas, the price was right ($0). Every time I do encounter one of these devices I always manage to find something fun and interesting to poke…

Bad SSH server

First red flag was the sshd server running on this router.

noah@box ~ $ ssh 192.168.x.y

Unable to negotiate with UNKNOWN port 65535: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

My system runs OpenSSH_8.4p1 which is quite new, but no brand new device should ask for sha1 ciphers!!

Being stubborn, I tried to finesse the sshd just a little…

$ ssh -T -oKexAlgorithms=+diffie-hellman-group14-sha1 admin@x.x.x.x
shell request failed on channel 0

D’oh. Must have the shell set to /bin/false to stop people like me from tampering with it…

Annoying discovery service

After a couple days sitting on my network I discovered some spammy logs coming from my firewall:

Oct 22 18:26:48 fw kernel: [427797.807835] IN=ens2 OUT= MAC=ff:ff:ff:ff:ff:ff:d8:47:32:a0:b2:89:08:00 SRC=x.x.x.x DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=56307 DPT=7437 LEN=181

Some service on that system is attempting to connect to UDP port 7437. Strange.

Digging in a little deeper, I ran

noah@fw:~$ sudo tcpdump -i eth2 port 7437 -vXX

18:16:58.266688 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 201)
    x.x.x.x.56307 > 255.255.255.255.7437: [udp sum ok] UDP, length 173
        0x0000:  ffff ffff ffff d847 32a0 b289 0800 4500  .......G2.....E.
        0x0010:  00c9 0000 4000 4011 1b4e 0acd 140a ffff  ....@.@..N......
        0x0020:  ffff dbf3 1d0d 00b5 2eea 4b41 4e4e 4f55  ..........KANNOU
        0x0030:  254e 0000 0000 00d8 4732 a0b2 8941 7263  %N......G2...Arc
        0x0040:  6865 7220 4337 2020 2000 0000 0041 7263  her.C7.......Arc
        0x0050:  6865 7220 4337 2020 2000 0000 0000 0000  her.C7..........
        0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0080:  0031 2e30 322e 3639 0000 0000 0000 0000  .1.02.69........
        0x0090:  0000 0000 0000 0001 0000 0001 0000 0002  ................
        0x00a0:  0000 0002 0000 0000 0000 0000 0000 0000  ................
        0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x00d0:  0000 0000 0000 00                        .......

Not sure exactly what’s going on here, but the device is broadcasting these pings every ~3 seconds.

The only info I can find on the net is that that port is registered to ‘Faximum’, notably a web service documented two decades ago: http://www.faximum.com/fms/docs/fms-ch3-46.html

It’s very likely that it’s a config assistant utility that uses this for autodiscovery. Since I can’t ssh into the box and disable things properly, I’ll just have to ignore it…

If anybody finds out how to root this device please send me the formula!