[<prev] [next>] [day] [month] [year] [list]
Message-ID: <cb00a2b5-d4cf-7515-3b4d-c78888954470@aklaus.ca>
Date: Sun, 9 Jun 2019 12:28:39 -0600
From: Andrew Klaus <andrew@...aus.ca>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2018-15557] Telus Actiontec WEB6000Q Remote Privilege
Escalation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
### Device Details
Discovered By: Andrew Klaus (andrew@...aus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22
Reported: July 2018
CVE: CVE-2018-15557
### Summary of Findings
Two instances of Linux run on the WEB6000Q. One is the “main” instance
that runs the web management server, TR-069 daemon, etc., while the
other is the "quantenna" management OS used to manage the wireless.
By hardcoding an IP address in the 169.254.1.0/24 network, and being on
the same layer 2 network, root telnet access can be obtained on the
"quantenna" management environment by accessing:
Host: 169.254.1.2
Port: 23
Login: root (no password prompted)
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ
fpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9
++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5
khAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq
xH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0
GZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu
T08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv
nQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1
PW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq
TAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u
10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo
tW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk=
=KDej
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists