lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <10595e7f-fefe-bee1-7670-823896cabe93@aklaus.ca>
Date: Sun, 9 Jun 2019 12:27:39 -0600
From: Andrew Klaus <andrew@...aus.ca>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local
 Privilege Escalation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

###  Device Details
Discovered By: Andrew Klaus (andrew@...aus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: CVE-2018-15555 (Main OS)
CVE: CVE-2018-15556 (Quantenna OS)


### Summary of Findings

Both “main” and “quantenna” have a UART header on the motherboard and
each of them provide full shell + bootloader access.

While the main OS has the credentials user: root pass: admin, the
quantenna environment can be accessed with user: root  with an empty
password.

I used a Raspberry Pi to interface with the UART header, but there are
USB UART adapters to do the same thing.

Once root access is obtained, TR-069 Updating can be fully disabled,
preventing the vendor from pushing updates to the device.


### Proof of Concept

Hooking up a Raspberry Pi's UART GPIO header to either UART header on
the modem will give a login prompt. root/admin  or root/(nopass)
depending on which modem header connected to.


### Enabling SSH daemon on Main OS

After retrieving a root shell on the main OS over UART, SSH can be
enabled by running the following:

# cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
dropbear -p 22 -I 1800 &


$ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1
admin@....168.1.2's password:

BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#








-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ
fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI
J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI
rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq
MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp
WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX
6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU
O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h
ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj
P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0
ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN
jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU=
=POu3
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists