exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Telus Actiontec WEB6000Q Privilege Escalation

Telus Actiontec WEB6000Q Privilege Escalation
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from both local and remote privilege escalation vulnerabilities.

tags | exploit, remote, local, vulnerability
advisories | CVE-2018-15555, CVE-2018-15556, CVE-2018-15557
SHA-256 | 4603e04a98825c83c6631a84067f20ea7105aa334aa5ff03f9006cfcabc325ec

Telus Actiontec WEB6000Q Privilege Escalation

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: CVE-2018-15555 (Main OS)
CVE: CVE-2018-15556 (Quantenna OS)


### Summary of Findings

Both “main” and “quantenna” have a UART header on the motherboard and
each of them provide full shell + bootloader access.

While the main OS has the credentials user: root pass: admin, the
quantenna environment can be accessed with user: root with an empty
password.

I used a Raspberry Pi to interface with the UART header, but there are
USB UART adapters to do the same thing.

Once root access is obtained, TR-069 Updating can be fully disabled,
preventing the vendor from pushing updates to the device.


### Proof of Concept

Hooking up a Raspberry Pi's UART GPIO header to either UART header on
the modem will give a login prompt. root/admin or root/(nopass)
depending on which modem header connected to.


### Enabling SSH daemon on Main OS

After retrieving a root shell on the main OS over UART, SSH can be
enabled by running the following:

# cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
dropbear -p 22 -I 1800 &


$ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1
admin@192.168.1.2's password:

BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#








-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ
fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI
J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI
rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq
MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp
WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX
6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU
O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h
ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj
P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0
ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN
jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU=
=POu3
-----END PGP SIGNATURE-----




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: WEB6000Q
Affected Firmware: 1.1.02.22

Reported: July 2018
CVE: CVE-2018-15557


### Summary of Findings

Two instances of Linux run on the WEB6000Q. One is the “main” instance
that runs the web management server, TR-069 daemon, etc., while the
other is the "quantenna" management OS used to manage the wireless.

By hardcoding an IP address in the 169.254.1.0/24 network, and being on
the same layer 2 network, root telnet access can be obtained on the
"quantenna" management environment by accessing:

Host: 169.254.1.2
Port: 23
Login: root (no password prompted)


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ
fpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9
++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5
khAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq
xH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0
GZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu
T08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv
nQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1
PW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq
TAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u
10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo
tW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk=
=KDej
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close