exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Teltonika RUT9XX Missing Access Control To UART Root Terminal

Teltonika RUT9XX Missing Access Control To UART Root Terminal
Posted Oct 12, 2018
Authored by David Gnedt | Site sba-research.org

Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.

tags | exploit, arbitrary, root
advisories | CVE-2018-17534
SHA-256 | e9d45ff879f8d592742af5d9401af535a0057ffab7ca2663e9027078fd59edd6

Teltonika RUT9XX Missing Access Control To UART Root Terminal

Change Mirror Download
# Teltonika RUT9XX Missing Access Control to UART Root Terminal #

Link: https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319-02_Teltonika_Incorrect_Access_Control

## Vulnerability Overview ##

Teltonika RUT9XX routers with firmware before 00.04.233 provide a root
terminal on a serial interface without proper access control. This
allows attackers with physical access to execute arbitrary commands
with root privileges.

* **Identifier** : SBA-ADV-20180319-02
* **Type of Vulnerability** : Incorrect Access Control
* **Software/Product Name** : [Teltonika RUT955](https://teltonika.lt/product/rut955/)
* **Vendor** : [Teltonika](https://teltonika.lt/)
* **Affected Versions** : Firmware RUT9XX_R_00.04.199 and probably prior,
newer firmware versions if settings were not cleared
* **Fixed in Version** : RUT9XX_R_00.04.233
* **CVE ID** : CVE-2018-17534
* **CVSSv3 Vector** : CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* **CVSSv3 Base Score** : 6.8 (Medium)

## Vendor Description ##

> RUT955 is a highly reliable and secure LTE router with I/O, GNSS and
> RS232/RS485 for professional applications. Router delivers high
> performance, mission-critical cellular communication and GPS location
> capabilities.

Source: <https://teltonika.lt/product/rut955/>

## Impact ##

An attacker with physical access can fully compromise the device, by
exploiting the vulnerabilities documented in this advisory. Sensitive
data stored or transmitted via the device might get exposed through
this attack.

We recommend upgrading to version RUT9XX_R_00.04.233 or newer, which
includes fixes for the vulnerability described in this advisory.
It is important to clear all settings during upgrade, for example, by
disabling the "Keep all settings" checkbox while upgrading via the
webinterface. Otherwise, newer firmware versions remain vulnerable.

## Vulnerability Description ##

RUT9XX routers provide a UART/serial interface on two pins of an
internal card-edge connector.

* RX: Pin 1 - Rectangle-like pin on the top-side (CPU side)
* TX: Pin 8 - Rectangle-like pin on the bottom-side

The UART interface uses TTL-level and a baud rate of 115200. It
provides log output and a root terminal without proper access control.

## Proof-of-Concept ##

Our test device with firmware RUT9XX_R_00.04.172 provided the following
log output during boot and after hitting the ENTER key:

```text
***************************************
* U-Boot 3.0.1 2017-02-15 *
***************************************

BOARD: Teltonika RUT9XX
RAM: 128 MB DDR2 32-bit CL3-4-4-10
FLASH: 16 MB Winbond W25Q128
CLOCKS: CPU/RAM/AHB/SPI/REF
550/400/200/ 25/ 40 MHz

Hit any key to stop booting: 0

Booting image from 0x9F040000...

Vendor/image name: Teltonika RUT9xx
Hardware ID: 0x35000001
Whole image size: 15.5 MB (16252928 bytes)
Kernel size: 1.1 MB (1191732 bytes)
Rootfs size: 9.7 MB (10170504 bytes)
Kernel load address: 0x80060000
Kernel entry point: 0x80060000

Header CRC... skipped
Data CRC... skipped

Stopping network... OK!
Uncompressing Kernel... OK!
Starting kernel...

[ 0.000000] Linux version 3.18.44 (simonas@Teltonika-I3) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r40569) ) #1 Tue Apr 10 15:23:49 EEST 2018
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
[ 0.000000] SoC: Atheros AR9344 rev 3
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
procd: Console is alive
procd: - watchdog -
procd: - preinit -
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[ 20.140000] usb 1-1.3: new high-speed USB device number 4 using ehci-platform
[ 20.280000] option 1-1.3:1.0: GSM modem (1-port) converter detected
[ 20.280000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB1
[ 20.290000] option 1-1.3:1.1: GSM modem (1-port) converter detected
[ 20.300000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB2
[ 20.310000] option 1-1.3:1.2: GSM modem (1-port) converter detected
[ 20.310000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB3
[ 20.320000] option 1-1.3:1.3: GSM modem (1-port) converter detected
[ 20.330000] usb 1-1.3: GSM modem (1-port) converter now attached to ttyUSB4
[ 20.360000] qmi_wwan 1-1.3:1.4: cdc-wdm0: USB WDM device
[ 20.360000] qmi_wwan 1-1.3:1.4: Quectel EC21&EC25&EC20 R2.0 work on RawIP mode
[ 20.370000] qmi_wwan 1-1.3:1.4 wwan0: register 'qmi_wwan' at usb-ehci-platform-1.3, WWAN/QMI device, xx:xx:xx:xx:xx:xx
[ 22.280000] jffs2: notice: (1498) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 26.220000] device eth0 entered promiscuous mode
[ 28.520000] eth0: link up (1000Mbps/Full duplex)
[ 28.520000] br-lan: port 1(eth0) entered forwarding state
[ 28.530000] br-lan: port 1(eth0) entered forwarding state
[ 30.530000] br-lan: port 1(eth0) entered forwarding state
[ 33.220000] Ports leds ON
procd: - init complete -



BusyBox v1.24.2 () built-in shell (ash)

____ _ ___ ____ _(_)_
| _ \ _ _| |_ / _ \/ ___| (_)@(_)
| |_) | | | | __| | | \___ \ /(_)
| _ <| |_| | |_| |_| |___) | \|/
|_| \_\\__,_|\__|\___/|____/ \|/

Teltonika RUT9XX 2014 - 2018

root@router:/# id
uid=0(root) gid=0(root)
root@router:/#
```

## Timeline ##

* `2018-03-19` identification of vulnerability in version RUT9XX_R_00.04.84
* `2018-04-10` re-test of version RUT9XX_R_00.04.161
* `2018-04-16` re-test of version RUT9XX_R_00.04.172
* `2018-04-16` initial vendor contact through public address
* `2018-04-18` vendor response with security contact
* `2018-04-19` disclosed vulnerability to vendor security contact
* `2018-04-26` vendor released fix in version RUT9XX_R_00.04.233
* `2018-07-09` notify vendor about incomplete fix
* `2018-07-25` notify vendor about incomplete fix
* `2018-09-25` request CVE from MITRE
* `2018-09-26` MITRE assigned CVE-2018-17534
* `2018-09-26` notify vendor about incomplete fix
* `2018-10-03` vendor stated that clearing of settings is required
* `2018-10-10` re-test of version RUT9XX_R_00.04.233
* `2018-10-11` public disclosure

## References ##

* Firmware Changelog: <https://wiki.teltonika.lt/index.php?title=RUT9xx_Firmware>

## Credits ##

* David Gnedt ([SBA Research](https://www.sba-research.org/))

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close