Share
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
### Device Details  
Discovered By: Andrew Klaus (andrew@aklaus.ca)  
Vendor: Actiontec (Telus Branded)  
Model: WEB6000Q  
Affected Firmware: 1.1.02.22  
  
Reported: July 2018  
CVE: CVE-2018-15555 (Main OS)  
CVE: CVE-2018-15556 (Quantenna OS)  
  
  
### Summary of Findings  
  
Both “main” and “quantenna” have a UART header on the motherboard and  
each of them provide full shell + bootloader access.  
  
While the main OS has the credentials user: root pass: admin, the  
quantenna environment can be accessed with user: root with an empty  
password.  
  
I used a Raspberry Pi to interface with the UART header, but there are  
USB UART adapters to do the same thing.  
  
Once root access is obtained, TR-069 Updating can be fully disabled,  
preventing the vendor from pushing updates to the device.  
  
  
### Proof of Concept  
  
Hooking up a Raspberry Pi's UART GPIO header to either UART header on  
the modem will give a login prompt. root/admin or root/(nopass)  
depending on which modem header connected to.  
  
  
### Enabling SSH daemon on Main OS  
  
After retrieving a root shell on the main OS over UART, SSH can be  
enabled by running the following:  
  
# cli -s Device.X_ACTIONTEC_COM_RemoteLogin.Enable int 1  
iptables -A INPUT -p tcp --dport 22 -j ACCEPT  
dropbear -p 22 -I 1800 &  
  
  
$ ssh 192.168.1.2 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1  
admin@192.168.1.2's password:  
  
BusyBox v1.17.2 (2016-02-03 21:34:18 PST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
#  
  
  
  
  
  
  
  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T5sACgkQoyRid8jQ  
fpnL1BAAi+Bu1xcK9thQ0AHqamY7DZ4qkP3dhFVUtW5q3hoJ4T3GOLTj/9RJLaOI  
J9FMvSMNAnTKtBcbTx4uvokRAbGLZEUPG1uk0Qu9wmC8tPliU0qHTCfU0vF2dFCI  
rrhmpaJhu4Y/AEIpjZXg1/5p5hIAQn5DfNUwu6p5VbDlRbktu5UELcFtvgnVi7Jq  
MUmNvPjbbxwfWlopb3kXASOh1SFLwe77AwmQmLQtIDknAyf2Ri9xfpf2wMGPqDTp  
WH3SzNCE+HkpHH8omSgnX+yA51KeGipUXWao3UnGvqdHp02TFz5OZIHhgzLk2AfX  
6k78qy44DMegaUld9KQeW4OeVESxQqVu9goIjbRMIIlLKRsvz1BwTM+wBu74z2vU  
O8i1mzAPqloc8iIoIzLiu1dGzYTii4et6YMTq5GJiXL3PCTOJ8MR1/mxeebQwn9h  
ebsmkn0I06ruR37apz0WGBx0p7t158Pjzc954JoMLubQO8Isk/2G02wcekLLXjVj  
P2jxoJlnRplum7pKNQbfhAJ6VrGiyB9HY6VAarseqZzFLYJiL6u15EooKScVAg/0  
ogZz/3G4m8yVZ37nnz64GNqZu/i18IRoPRGGfeYN/smKFhsKNtbw1JSWHk6VPTbN  
jlJLOXvQ9149zFlmJJHCxKiQ3FHvghgfgoi9W5J0Lg4Q+lqIriU=  
=POu3  
-----END PGP SIGNATURE-----  
  
  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
### Device Details  
Discovered By: Andrew Klaus (andrew@aklaus.ca)  
Vendor: Actiontec (Telus Branded)  
Model: WEB6000Q  
Affected Firmware: 1.1.02.22  
  
Reported: July 2018  
CVE: CVE-2018-15557  
  
  
### Summary of Findings  
  
Two instances of Linux run on the WEB6000Q. One is the “main” instance  
that runs the web management server, TR-069 daemon, etc., while the  
other is the "quantenna" management OS used to manage the wireless.  
  
By hardcoding an IP address in the 169.254.1.0/24 network, and being on  
the same layer 2 network, root telnet access can be obtained on the  
"quantenna" management environment by accessing:  
  
Host: 169.254.1.2  
Port: 23  
Login: root (no password prompted)  
  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T9cACgkQoyRid8jQ  
fpmyiw/+IOKANwITYMPOlXmvq4cY2ma8n5ckyeaLs2sEMTUM4OLg9Fnv7bqHxRs9  
++/sU7QPPjtMVhGIoehWqJgQp96zIV/x/JDxNlVvHn2IbYtOgSQOJ0uCxDvU7Tf5  
khAmBtUSHMDq5qBlmPZxOUHnEEDjdx38OBt11Z9/yrSso5eJaXVsYs2SsEuLCzOq  
xH0VXi278VSx0mDVsAPT6GvAyYja+S23M49dhW48knQ9yBCt17Lhe1C04vcUNme0  
GZQUUHKLBJl03mUgt91/pcRfqN+MlUMyyQiyi7w1fPQpTWONIArUM26XV+P9oLNu  
T08sh1vaAdaXim1AHpSURXX24TEsIYLW0Tb9SQVPMl1UZDcNq0ub9AdoAUuuXBWv  
nQ3jTCKlosH3GsIau1S3hlI8hoDF3li5e+bwt62JcqhI13pY1ZdcqZ+DHcbSGLN1  
PW/CjPJxw05vamYzyZSgqS/FUlflzhboFp2s2/7XG8lBvt+pTQql5aYcxdcaZ1Sq  
TAGEXC3Kdb4BEQlqWuJNAlZWxeN6fhewb8IPDEJhdUZr2rGF9/1rmd3FlbwC6K2u  
10o0lGrXVZ3hDnewwrBFNjLgvUj/nUtVlElkk1x/rsQnqDtnuKC4sS6xq9VO27Yo  
tW4gSB5LSjUcMVJyc0YbLjtYtd0mYem7l0dHjpnuqXst94GrHlk=  
=KDej  
-----END PGP SIGNATURE-----