ActionTec T2200H Router Web UI Command Injection and Root Privilege Escalation Analysis

Critical Vulnerability Information Device Details Vendor: ActionTec (Telus brand, but may apply to similar models) Model: T2200H Affected Firmware: T2200H-31.128L.03 Device Manual: http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manual.pdf Discovery Summary Report Date: November 2015 Status: Fixed (via newly released firmware update) CVE ID: Not provided (as the issue was resolved through vendor-pushed updates) Vulnerability Details Obtaining root shell: An attacker only needs login access to the device’s web UI. By using the device’s serial number, they can reset a known password (assuming the default password has not been changed). Modifiable firmware partitions: Two firmware partitions are readable/writable and modifiable ( and ), which can be used for firmware upgrades, saving system state, and preventing network provisioning reports from expiring. TR-069 settings: Can be modified to disable checking with the management system, meaning future updates cannot be received without reflashing the device. Exploitation Methods Executing a single command shell: - In the “Advanced Setup > Samba Configuration” section, enter in both the “Username” and “Password” fields. - Connect via USB using and execute commands through Windows CMD. Obtaining reverse root shell: - Use Python code to create a FIFO pipe, leveraging and to send a shell back to a listening netcat instance on the attacker’s machine. Steps include: 1. Set up a netcat listener locally. 2. After a user successfully logs in via the web UI, execute the Python code to trigger the reverse shell. Other Findings: - The root filesystem and partition 2 can be mounted and read/written. - By modifying and , an attacker can bypass web access restrictions, enable telnet, and allow modification of firmware flash and TR-069 settings, among other options.

Goal Reached Thanks to every supporter — we hit 100%!

ActionTec T2200H Router Web UI Command Injection and Root Privilege Escalation Analysis

More from this source