Telus Actiontec WEB6000Q Privilege Escalation

2019.06.13
Credit: Andrew Klaus
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: CVE-2018-15555 (Main OS) CVE: CVE-2018-15556 (Quantenna OS) ### Summary of Findings Both “main” and “quantenna” have a UART header on the motherboard and each of them provide full shell + bootloader access. While the main OS has the credentials user: root pass: admin, the quantenna environment can be accessed with user: root with an empty password. I used a Raspberry Pi to interface with the UART header, but there are USB UART adapters to do the same thing. Once root access is obtained, TR-069 Updating can be fully disabled, preventing the vendor from pushing updates to the device. ### Proof of Concept Hooking up a Raspberry Pi's UART GPIO header to either UART header on the modem will give a login prompt. root/admin or root/(nopass) depending on which modem header connected to. ### Enabling SSH daemon on Main OS After retrieving a root shell on the main OS over UART, SSH can be enabled by running the following: # cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1 iptables -A INPUT -p tcp --dport 22 -j ACCEPT dropbear -p 22 -I 1800 & $ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.2's password: BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash) Enter 'help' for a list of built-in commands. # -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX 6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0 ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU= =POu3 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: CVE-2018-15557 ### Summary of Findings Two instances of Linux run on the WEB6000Q. One is the “main” instance that runs the web management server, TR-069 daemon, etc., while the other is the "quantenna" management OS used to manage the wireless. By hardcoding an IP address in the 169.254.1.0/24 network, and being on the same layer 2 network, root telnet access can be obtained on the "quantenna" management environment by accessing: Host: 169.254.1.2 Port: 23 Login: root (no password prompted) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ fpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9 ++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5 khAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq xH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0 GZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu T08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv nQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1 PW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq TAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u 10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo tW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk= =KDej -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top