Full Disclosure mailing list archives
[CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation
From: Andrew Klaus <andrew () aklaus ca>
Date: Sun, 9 Jun 2019 12:27:39 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Discovered By: Andrew Klaus (andrew () aklaus ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: CVE-2018-15555 (Main OS) CVE: CVE-2018-15556 (Quantenna OS) ### Summary of Findings Both “main” and “quantenna” have a UART header on the motherboard and each of them provide full shell + bootloader access. While the main OS has the credentials user: root pass: admin, the quantenna environment can be accessed with user: root with an empty password. I used a Raspberry Pi to interface with the UART header, but there are USB UART adapters to do the same thing. Once root access is obtained, TR-069 Updating can be fully disabled, preventing the vendor from pushing updates to the device. ### Proof of Concept Hooking up a Raspberry Pi's UART GPIO header to either UART header on the modem will give a login prompt. root/admin or root/(nopass) depending on which modem header connected to. ### Enabling SSH daemon on Main OS After retrieving a root shell on the main OS over UART, SSH can be enabled by running the following: # cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1 iptables -A INPUT -p tcp --dport 22 -j ACCEPT dropbear -p 22 -I 1800 & $ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.2's password: BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash) Enter 'help' for a list of built-in commands. # -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX 6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0 ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU= =POu3 -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [CVE-2018-15555 / 15556] Telus Actiontec WEB6000Q Local Privilege Escalation Andrew Klaus (Jun 11)