My ISP send over a new DOCSIS/Router box.
Of course the software on this new device peaked my interest.
They call it “Vodafone Docsis 3.1”, of course it’s some ODM device they rebranded. It’s running firmware version “01.02.068.10.EURO.SIP”.
Edit: I’m fairly certain the device is called Arris VodafoneStation TG344DE. The Intel SOC is called Puma.
I can tell the firmware is still very much in flux by the amount of changes in the Web UI(New features etc.) after the upgrade.
It has this neat about page, and before the automatic & mandatory update it even contained a list of all software versions, and on what CPU they are installed. (It actually runs 2 separate Linux instances; One for the modem, one for the Router). The updated about page removed the CPU info, and only shows certain packages with versions.
As usual, I tried the most basic command injection I can find. It has a diagnostics ping/traceroute web interface. Logically, I send a request using my browser, recorded it using the developer tools, and looked at the data sent. It’s JSON, so it’s easy to modify. The HTTP requests seem to not have any “rolling number” that would make sending out-of-order requests harder.
When I send a address field like “8.8.8.8; nc -lp 1234; #” to test if the address filed is properly escaped, I got back a message like this:
{"Data":{"Target":"parameter value failed validation. matching \/^[A-Za-z0-9:.\\-\\\/]+$\/ against 8.8.8.8; nc -lp 1234; #"}}
Isn’t that interesting? We get the regex we try to exploit for free!
I’m not a regex expert, but it looks to me like it allows the characters “A-Z”, “a-z”, “0-9”, “:”, “\”, “/”.
So, my question is: Can anybody craft an address field that passes these checks, but allows “command injection” of some sort?
I’m fairly certain that they use Bash 3.2.48. If they use the busybox ash, it’s from busybox version 1.22.1 or 1.22
(After the upgrade, busybox shows up twice in the list; My guess is that this is because there are 2 busybox installations for the 2 Linux systems in that router; They removed the info about what version ran on what CPU after a firmware upgrade)
Also, the version of bash seems to be vulnerable to some exploits, but that requires access to an environment variable. Any ideas?
Other, unrelated bits: I’m fairly certain that this device uses an intel x86-based processor internally for some of it’s tasks, Intel is mentioned serveral times in version strings. It even has acpid and powertop installed, and uses systemd for init. The web interface uses PHP Version: 5.4.14. (The older versions seemed to use an even older PHP 3).